[keycloak-user] Request for ${REALM} support for path field in policy enforcer (keycloak, json)

Pedro Igor Silva psilva at redhat.com
Fri Apr 7 11:00:06 EDT 2017 

Hi Stephane,

Interesting use case. But we do support patterns in paths ? Or are you
having some issue when including them in your paths ?

In that example, if you send a request to "/acme/operation/echo" it should
match "{REALM}/operation/*".

Regards.
Pedro Igor

On Fri, Apr 7, 2017 at 11:05 AM, Stephane Granger <
stephane.granger at gmail.com> wrote:

> Hi,
>
> It would be nice to be able to use ${REALM} in the path field of the policy
> enforcer config.
>
> The use case is to simplify (a bit) multi tenant support. I'm working on a
> system to support multiple tenants with many applications.  When adding a
> tenant, a realm is created in keycloak. Then, the kecyloak clients are
> added in that realm based on the tenant application selection.
> Some of these clients use the authorization support feature and also use
> policy enforcer in their keycloak.config file.
>
> Our system has a small database containing the list of clients for each
> application, corresponding basically to the  frontend and a backend of
> these applications.  For each client, we have a client representation
> template, an optional resource server representation template. These are
> used to create the client configuration under the tenant's realm in
> keycloak when adding an application to a client.
>
> There is also have an optional policy enforcer field in the db.  This one
> is used to create the keycloak configuration corresponding to the
> realm/client combination.  We have a component called keycloak
> configuration builder.  Its role is to retrieve the client configuration
> from keycloak and to add the corresponding policy enforcer. Since, we have
> multi tenant application, the realm is part of the url and therefore ends
> up in the path.  For example, we have something like this:
>
> {
>    "realm":"acme",
>    ...
>    "policy-enforcer": {
>       "paths" : [
>           {
>              "name" : "Resource name",
>              "path" : "/acme/operation/*",
>              ""methods": [....]
>           }
>      ]
> }
>
> For this application, the policy enforcer config template would look like
> this:
>
> "policy-enforcer": {
>       "paths" : [
>           {
>              "name" : "Resource name",
>              "path" : "/${REALM}/operation/*",
>              ""methods": [....]
>           }...
>         ]
> }
>
>  It would be a lot simpler if the keycloak policy enforcer could use
> ${REALM} in the path.  Currently, application developer will have to create
> their config using keycloak for their development, then extract the policy
> enforcer, and replace the realm in the paths with ${REALM}. Our keycloak
> configuration builder then have to substitute ${REALM} with the realm.
>
> Thanks,
> Stephane
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list