[keycloak-user] Request for ${REALM} support for path field in policy enforcer (keycloak, json)

Stephane Granger stephane.granger at gmail.com
Fri Apr 7 10:05:30 EDT 2017 

Hi,

It would be nice to be able to use ${REALM} in the path field of the policy
enforcer config.

The use case is to simplify (a bit) multi tenant support. I'm working on a
system to support multiple tenants with many applications.  When adding a
tenant, a realm is created in keycloak. Then, the kecyloak clients are
added in that realm based on the tenant application selection.
Some of these clients use the authorization support feature and also use
policy enforcer in their keycloak.config file.

Our system has a small database containing the list of clients for each
application, corresponding basically to the  frontend and a backend of
these applications.  For each client, we have a client representation
template, an optional resource server representation template. These are
used to create the client configuration under the tenant's realm in
keycloak when adding an application to a client.

There is also have an optional policy enforcer field in the db.  This one
is used to create the keycloak configuration corresponding to the
realm/client combination.  We have a component called keycloak
configuration builder.  Its role is to retrieve the client configuration
from keycloak and to add the corresponding policy enforcer. Since, we have
multi tenant application, the realm is part of the url and therefore ends
up in the path.  For example, we have something like this:

{
   "realm":"acme",
   ...
   "policy-enforcer": {
      "paths" : [
          {
             "name" : "Resource name",
             "path" : "/acme/operation/*",
             ""methods": [....]
          }
     ]
}

For this application, the policy enforcer config template would look like
this:

"policy-enforcer": {
      "paths" : [
          {
             "name" : "Resource name",
             "path" : "/${REALM}/operation/*",
             ""methods": [....]
          }...
        ]
}

 It would be a lot simpler if the keycloak policy enforcer could use
${REALM} in the path.  Currently, application developer will have to create
their config using keycloak for their development, then extract the policy
enforcer, and replace the realm in the paths with ${REALM}. Our keycloak
configuration builder then have to substitute ${REALM} with the realm.

Thanks,
Stephane

More information about the keycloak-user mailing list