[keycloak-user] Request for ${REALM} support for path field in policy enforcer (keycloak, json)

Stephane Granger stephane.granger at gmail.com
Fri Apr 7 11:15:35 EDT 2017 

 Thanks a lot for the very quick reply Pedro Igor!

It does work and actually solve the corresponding problem I had when adding
the resource server representation to the client configuration!

2 birds with one stone!

Thanks again,
Stephane



2017-04-07 15:00:06 +0000 Pedro Igor Silva <psilva at redhat.com> :

> Hi Stephane,
>
> Interesting use case. But we do support patterns in paths ? Or are you
> having some issue when including them in your paths ?
>
> In that example, if you send a request to "/acme/operation/echo" it should
> match "{REALM}/operation/*".
>
> Regards.
> Pedro Igor
>
> On Fri, Apr 7, 2017 at 11:05 AM, Stephane Granger <
> stephane.granger at gmail.com> wrote:
>
>> Hi,
>>
>> It would be nice to be able to use ${REALM} in the path field of the
>> policy
>> enforcer config.
>>
>> The use case is to simplify (a bit) multi tenant support. I'm working on a
>> system to support multiple tenants with many applications.  When adding a
>> tenant, a realm is created in keycloak. Then, the kecyloak clients are
>> added in that realm based on the tenant application selection.
>> Some of these clients use the authorization support feature and also use
>> policy enforcer in their keycloak.config file.
>>
>> Our system has a small database containing the list of clients for each
>> application, corresponding basically to the  frontend and a backend of
>> these applications.  For each client, we have a client representation
>> template, an optional resource server representation template. These are
>> used to create the client configuration under the tenant's realm in
>> keycloak when adding an application to a client.
>>
>> There is also have an optional policy enforcer field in the db.  This one
>> is used to create the keycloak configuration corresponding to the
>> realm/client combination.  We have a component called keycloak
>> configuration builder.  Its role is to retrieve the client configuration
>> from keycloak and to add the corresponding policy enforcer. Since, we have
>> multi tenant application, the realm is part of the url and therefore ends
>> up in the path.  For example, we have something like this:
>>
>> {
>>    "realm":"acme",
>>    ...
>>    "policy-enforcer": {
>>       "paths" : [
>>           {
>>              "name" : "Resource name",
>>              "path" : "/acme/operation/*",
>>              ""methods": [....]
>>           }
>>      ]
>> }
>>
>> For this application, the policy enforcer config template would look like
>> this:
>>
>> "policy-enforcer": {
>>       "paths" : [
>>           {
>>              "name" : "Resource name",
>>              "path" : "/${REALM}/operation/*",
>>              ""methods": [....]
>>           }...
>>         ]
>> }
>>
>>  It would be a lot simpler if the keycloak policy enforcer could use
>> ${REALM} in the path.  Currently, application developer will have to
>> create
>> their config using keycloak for their development, then extract the policy
>> enforcer, and replace the realm in the paths with ${REALM}. Our keycloak
>> configuration builder then have to substitute ${REALM} with the realm.
>>
>> Thanks,
>> Stephane
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

More information about the keycloak-user mailing list