[keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called.

Dmitry Telegin dt at acutus.pro
Fri Feb 1 06:30:23 EST 2019 

Hello Alexey,

Seems like currently only the first configured CIP is evaluated [1]. With only one CIP, I've been able to get my custom provider working.

I think this is a defect, and suggest that you join us in keycloak-dev under the "Authz services feedback" thread, where we discuss CIPs and Spring Boot among other things (however the issue is not SB-specific).

[1] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java#L365

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2019-01-31 at 18:47 +0300, Alexey Titorenko wrote:
> Hello guys!
> 
> Can someone help me please with the following problem.
> 
> I need to configure context based access control for my REST-service, when attributes of the protected resources are pushed to Keycloak server for policy evaluation. Protected service is built on Spring Boot. 
> 
> I’ve configured the system and all works fine with OOTB Claim Information Point provider ‘claims’. But I need a custom one. And this custom CIP is not working. I see from the debug logging, that policy enforcer calls ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’, thus, never instantiates the CIP.
> 
> Below are application.properties for Spring boot and CIP config file. My custom CIP Provider has ‘document’ name. I call both /documents/- Get an
> 
> Thank you, 
> Alexey
> 
> application.properties
> ----------------------------------
> svc.name=docs-uma
> server.port = 8085
> keycloak.realm=DemoApp
> keycloak.auth-server-url=http://localhost:8180/auth
> keycloak.ssl-required=external
> keycloak.resource=docs-svc-uma
> keycloak.cors=true
> keycloak.use-resource-role-mappings=true
> keycloak.verify-token-audience=false
> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
> keycloak.confidential-port=0
> keycloak.bearer-only=true
> 
> keycloak.securityConstraints[0].securityCollections[0].name = secured operation
> keycloak.securityConstraints[0].authRoles[0] = user
> keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents
> keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/
> 
> keycloak.securityConstraints[1].securityCollections[0].name = admin operation
> keycloak.securityConstraints[1].authRoles[0] = admin
> keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
> keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/
> 
> logging.level.org.keycloak=DEBUG
> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
> 
> # policy enforcer
> keycloak.policy-enforcer-config.lazy-load-paths=true
> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
> 
> keycloak.policy-enforcer-config.paths[0].name=Public Resources
> keycloak.policy-enforcer-config.paths[0].path=/*
> 
> keycloak.policy-enforcer-config.paths[1].name=Document creation
> keycloak.policy-enforcer-config.paths[1].path=/documents/*
> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
> keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
> 
> keycloak.policy-enforcer-config.paths[2].name=Document List
> keycloak.policy-enforcer-config.paths[2].path=/documents
> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
> keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
> keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
> keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
>         
> keycloak.policy-enforcer-config.paths[3].name=Admin Resources
> keycloak.policy-enforcer-config.paths[3].path=/admin/*
> keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
> keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
> 
> 
> META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
> ------------------------------------------------------------------------
> dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list