[keycloak-user] Apache auth_openidc_module and Policy enforcer

[Pedro Igor Silva]

Hi,

It is not. But this doc [1] shows how to enforce access based on claims.
Permissions granted by Keycloak are basically within a claim in the access
token (so called RPT). But I guess you have looked this option already and
it does not work for you.

Regards.
Pedro Igor



On Wed, Feb 7, 2018 at 1:54 PM, Guse, Christoph <Christoph.Guse at viega.de>
wrote:

> Hi everybody,
>
> we currently did a proof of concept using Keycloak and we are very sure to
> fulfill the requirements using Keycloak. Thanks a lot for your work!
>
> At the moment I try out to use Apache with Keycloak using the
> auth_openidc_module. The redirect to Keycloak works but I’m wondering if it
> is possible to use the Authorization (Resources / Policies / Permissions)
> feature with auth_openidc_module. I would like to be able to configure the
> Apache resource authorization in Keycloak.
>
> We already managed to use Authorization in our Spring-Boot applications
> and we had to switch on the Policy Enforcer to use Authorization.
> Unfortunately I did not find this option in the configuration of
> auth_openidc_module in the documentation. In this documentation the
> authorization is configured in httpd.conf in the <Location> sections.
>
> Is Authorization available in auth_openidc_module?
>
> Cheers,
> Christoph
>
> Viega Holding GmbH & Co. KG, Sitz Attendorn, Amtsgericht Siegen HRA 7404,
> Komplementärinnen: Viega Holding Beteiligungs B.V. (Vorsitzende der
> Geschäftsführung: Walter Viegener, Claus Holst-Gydesen; Geschäftsführer:
> Ralf Baginski, Andreas Brockow, Andreas Fiefhaus, Dirk Gellisch, Peter
> Schöler); Viega Holding Beteiligungs GmbH (Geschäftsführer: Walter
> Viegener, Claus Holst-Gydesen)
>
> Rechtliche Verpflichtungen werden mit dieser Nachricht nur eingegangen,
> wenn eine davon unabhängige schriftliche Bestätigung erfolgt. Der Inhalt
> dieser Nachricht ist vertraulich und ausschließlich für den Adressaten
> bestimmt. Ihre unbefugte Verwertung oder Mitteilung an Dritte ist
> gesetzlich untersagt. Sind Sie selbst nicht der korrekte Empfänger, so
> vernichten Sie bitte diese Nachricht und benachrichtigen Sie uns
> unverzüglich. Herzlichen Dank für Ihre Mithilfe.
>
> No obligation is entered into by this message, unless confirmed
> independently. The information contained in this message is confidential,
> intended only for the addressee. If you are not the intended recipient, any
> use, review, dissemination, distribution or copying of this document is
> strictly prohibited. If you have received this document in error, please
> destroy the original message and notify us immediately. Thank you very much
> for your cooperation.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user