Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OIDC adapter has to provide HttpPermissionChecker

See original GitHub issue

Description Example of the original quarkus-keycloak configuration:

quarkus.keycloak.policy-enforcer.claim-information-point.claims.request-uri={request.relativePath}
quarkus.keycloak.policy-enforcer.claim-information-point.claims.request-method={request.method}
quarkus.keycloak.policy-enforcer.lazy-load-paths=true

quarkus.keycloak.policy-enforcer.paths.1.path=/asset-service/resources/tenants
quarkus.keycloak.policy-enforcer.paths.1.methods.1.method=POST
quarkus.keycloak.policy-enforcer.paths.1.methods.1.scopes=tenants:create

quarkus.keycloak.policy-enforcer.paths.10.path=/asset-service/resources/tenants/{tenantId}
quarkus.keycloak.policy-enforcer.paths.10.methods.1.method=PUT
quarkus.keycloak.policy-enforcer.paths.10.methods.1.scopes=tenant:edit
quarkus.keycloak.policy-enforcer.paths.10.methods.2.method=DELETE
quarkus.keycloak.policy-enforcer.paths.10.methods.2.scopes=tenant:delete
quarkus.keycloak.policy-enforcer.paths.11.path=/asset-service/resources/tenants/{tenantId}/disable
quarkus.keycloak.policy-enforcer.paths.11.methods.1.method=PUT
quarkus.keycloak.policy-enforcer.paths.11.methods.1.scopes=tenant:disable
quarkus.keycloak.policy-enforcer.paths.12.path=/asset-service/resources/tenants/{tenantId}/enable
quarkus.keycloak.policy-enforcer.paths.12.methods.1.method=PUT
quarkus.keycloak.policy-enforcer.paths.12.methods.1.scopes=tenant:enable

@dfranssen:

E.g. Keycloak javascript permission using the request-uri. Our path is like /asset-service/resources/tenants/abc where abc is the tenant name (uriPart[4] in the code below) for which we check the actual authenticated user is part of. In Keycloak we have a group per tenant (e.g. /abc/users) where the user is put into.

var attributes = context.getAttributes();
var httpUri = attributes.getValue('request-uri');
function isInTenantGroup(tenantId) {
    var result = false;
    var wanted = "/" + tenantId + "/users";
    var identity = context.getIdentity();
    var userGroups = identity.getAttributes().getValue('user-groups');
    if (userGroups !== null) {
        for(var i=0; i < userGroups.size(); i++) {
            if(wanted === userGroups.asString(i)) {
                result = true;
                break;
            }
        }
    }
    return result;
}

if (httpUri) {
    var uriParts = httpUri.asString(0).split('/');
    if (isInTenantGroup(uriParts[4])) {
        $evaluation.grant();
    }
}

Implementation ideas The adapter has to introspect a scope claim (or Keycloak specific claim - in this case we should have a claim name configured to avoid tying the adapter to KC - though we can do it later). PolicyEnforcer configuration group can be introduced if needed

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:51 (41 by maintainers)

github_iconTop GitHub Comments

1reaction
sberyozkincommented, Oct 20, 2019

@pedroigor Hi Pedro, it is pulled in from somewhere in the dev mode I guess, @gsmet - do you know why ? IMHO, it should not block the PR, we can have a follow up issue (fix for the dev mode, etc). It all looks good to me, the configuration example. Please rename the module as you’ve suggested above (hope Stian @stianst would be OK with it).

@dfranssen FYI, as Pedro said, you will be able to get all the information about the token from JsonWebToken which can be either directly injected or accessed via Quarkus SecurityIdentity - we will be updating the docs. And indeed as Pedro mentioned, we’ll definitely proceed with something interesting with new annotations related to the claim-based authorization concept. It is just that the adapter stabilization is more of the immediate priority 😃

Thanks

1reaction
pedroigorcommented, Oct 18, 2019

@dfranssen it should be able to replace config properties by setting system properties. I guess the behavior is the same when using quarkus.profile.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Authorization Services Guide - Keycloak
Provides a set of UIs based on the Keycloak Administration Console to manage ... The adapter configuration is displayed in JSON format.
Read more >
PermissionChecker | Android Developers
This class provides permission check APIs that verify both the permission and the associated app op for this permission if such is defined....
Read more >
Using OpenID Connect (OIDC) and Keycloak to Centralize ...
This guide demonstrates how your Quarkus application can authorize a bearer token access to protected resources using Keycloak Authorization Services. The ...
Read more >
Chapter 2. Using OpenID Connect to secure applications and ...
Each application has a client-id that is used to identify the application. ... Default is session, which means that adapter stores account info...
Read more >
Make your own Permission Checker app in Android Studio
Or which apps have been given permission to access your device location? ... app name as well as the app icon to bind...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

java.lang.NoClassDefFoundError: org.apache.commons.logging.LogFactory in @Observes StartupEvent in GraalVM

Next page

Support the authorization code flow for Server Web Apps