[keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called.

Dmitry Telegin dt at acutus.pro
Fri Feb 1 06:35:48 EST 2019 

Oh, no need for Alexey to go to keycloak-dev, since Pedro is already here :)

Please see my answer above, I've been able to reproduce the issue and trace it down to the AbstractPolicyEnforcer::getClaims().

Dmitry

On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote:
> Hi,
> 
> Could you share the code for your custom CIP, please ? Are you sure the
> factory's name is the same as what you defined in your adapter
> configuration ?
> 
> Regards.
> Pedro Igor
> 
> On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko <titorenko at dtg.technology>
> wrote:
> 
> > Hello guys!
> > 
> > Can someone help me please with the following problem.
> > 
> > I need to configure context based access control for my REST-service, when
> > attributes of the protected resources are pushed to Keycloak server for
> > policy evaluation. Protected service is built on Spring Boot.
> > 
> > I’ve configured the system and all works fine with OOTB Claim Information
> > Point provider ‘claims’. But I need a custom one. And this custom CIP is
> > not working. I see from the debug logging, that policy enforcer calls
> > ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’,
> > thus, never instantiates the CIP.
> > 
> > Below are application.properties for Spring boot and CIP config file. My
> > custom CIP Provider has ‘document’ name. I call both /documents/- Get an
> > 
> > Thank you,
> > Alexey
> > 
> > application.properties
> > ----------------------------------
> > svc.name=docs-uma
> > server.port = 8085
> > keycloak.realm=DemoApp
> > keycloak.auth-server-url=http://localhost:8180/auth
> > keycloak.ssl-required=external
> > keycloak.resource=docs-svc-uma
> > keycloak.cors=true
> > keycloak.use-resource-role-mappings=true
> > keycloak.verify-token-audience=false
> > keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
> > keycloak.confidential-port=0
> > keycloak.bearer-only=true
> > 
> > keycloak.securityConstraints[0].securityCollections[0].name = secured
> > operation
> > keycloak.securityConstraints[0].authRoles[0] = user
> > keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
> > /documents
> > keycloak.securityConstraints[0].securityCollections[0].patterns[1] =
> > /documents/
> > 
> > keycloak.securityConstraints[1].securityCollections[0].name = admin
> > operation
> > keycloak.securityConstraints[1].authRoles[0] = admin
> > keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
> > keycloak.securityConstraints[1].securityCollections[0].patterns[1] =
> > /admin/
> > 
> > logging.level.org.keycloak=DEBUG
> > 
> > logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
> > 
> > # policy enforcer
> > keycloak.policy-enforcer-config.lazy-load-paths=true
> > keycloak.policy-enforcer-config.on-deny-redirect-to=/public
> > 
> > keycloak.policy-enforcer-config.paths[0].name=Public Resources
> > keycloak.policy-enforcer-config.paths[0].path=/*
> > 
> > keycloak.policy-enforcer-config.paths[1].name=Document creation
> > keycloak.policy-enforcer-config.paths[1].path=/documents/*
> > keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
> > 
> > keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
> > 
> > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
> > 
> > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
> > 
> > keycloak.policy-enforcer-config.paths[2].name=Document List
> > keycloak.policy-enforcer-config.paths[2].path=/documents
> > keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
> > 
> > keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
> > 
> > keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
> > 
> > keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
> > 
> > keycloak.policy-enforcer-config.paths[3].name=Admin Resources
> > keycloak.policy-enforcer-config.paths[3].path=/admin/*
> > 
> > keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
> > 
> > keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
> > 
> > 
> > 
> > META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
> > ------------------------------------------------------------------------
> > 
> > dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list