[keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called.
Pedro Igor Silva
psilva at redhat.com
Fri Feb 1 13:32:02 EST 2019
I've created https://issues.jboss.org/browse/KEYCLOAK-9478. Dmitry is right
and I sent a PR with a fix. Tests were also included for custom CIPs.
Regards.
Pedro Igor
On Fri, Feb 1, 2019 at 12:03 PM Alexey Titorenko <titorenko at dtg.technology>
wrote:
> Thank you, guys!
>
>
> > On 1 Feb 2019, at 14:35, Dmitry Telegin <dt at acutus.pro> wrote:
> >
> > Oh, no need for Alexey to go to keycloak-dev, since Pedro is already
> here :)
> >
> > Please see my answer above, I've been able to reproduce the issue and
> trace it down to the AbstractPolicyEnforcer::getClaims().
> >
> > Dmitry
> >
> > On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote:
> >> Hi,
> >>
> >> Could you share the code for your custom CIP, please ? Are you sure the
> >> factory's name is the same as what you defined in your adapter
> >> configuration ?
> >>
> >> Regards.
> >> Pedro Igor
> >>
> >> On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko
> <titorenko at dtg.technology>
> >> wrote:
> >>
> >>> Hello guys!
> >>>
> >>> Can someone help me please with the following problem.
> >>>
> >>> I need to configure context based access control for my REST-service,
> when
> >>> attributes of the protected resources are pushed to Keycloak server for
> >>> policy evaluation. Protected service is built on Spring Boot.
> >>>
> >>> I’ve configured the system and all works fine with OOTB Claim
> Information
> >>> Point provider ‘claims’. But I need a custom one. And this custom CIP
> is
> >>> not working. I see from the debug logging, that policy enforcer calls
> >>> ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls
> ‘create()’,
> >>> thus, never instantiates the CIP.
> >>>
> >>> Below are application.properties for Spring boot and CIP config file.
> My
> >>> custom CIP Provider has ‘document’ name. I call both /documents/- Get
> an
> >>>
> >>> Thank you,
> >>> Alexey
> >>>
> >>> application.properties
> >>> ----------------------------------
> >>> svc.name=docs-uma
> >>> server.port = 8085
> >>> keycloak.realm=DemoApp
> >>> keycloak.auth-server-url=http://localhost:8180/auth
> >>> keycloak.ssl-required=external
> >>> keycloak.resource=docs-svc-uma
> >>> keycloak.cors=true
> >>> keycloak.use-resource-role-mappings=true
> >>> keycloak.verify-token-audience=false
> >>> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
> >>> keycloak.confidential-port=0
> >>> keycloak.bearer-only=true
> >>>
> >>> keycloak.securityConstraints[0].securityCollections[0].name = secured
> >>> operation
> >>> keycloak.securityConstraints[0].authRoles[0] = user
> >>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
> >>> /documents
> >>> keycloak.securityConstraints[0].securityCollections[0].patterns[1] =
> >>> /documents/
> >>>
> >>> keycloak.securityConstraints[1].securityCollections[0].name = admin
> >>> operation
> >>> keycloak.securityConstraints[1].authRoles[0] = admin
> >>> keycloak.securityConstraints[1].securityCollections[0].patterns[0] =
> /admin
> >>> keycloak.securityConstraints[1].securityCollections[0].patterns[1] =
> >>> /admin/
> >>>
> >>> logging.level.org.keycloak=DEBUG
> >>>
> >>>
> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
> >>>
> >>> # policy enforcer
> >>> keycloak.policy-enforcer-config.lazy-load-paths=true
> >>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
> >>>
> >>> keycloak.policy-enforcer-config.paths[0].name=Public Resources
> >>> keycloak.policy-enforcer-config.paths[0].path=/*
> >>>
> >>> keycloak.policy-enforcer-config.paths[1].name=Document creation
> >>> keycloak.policy-enforcer-config.paths[1].path=/documents/*
> >>> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
> >>>
> >>>
> keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
> >>>
> >>>
> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
> >>>
> >>>
> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
> >>>
> >>> keycloak.policy-enforcer-config.paths[2].name=Document List
> >>> keycloak.policy-enforcer-config.paths[2].path=/documents
> >>> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
> >>>
> >>>
> keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
> >>>
> >>>
> keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
> >>>
> >>>
> keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
> >>>
> >>> keycloak.policy-enforcer-config.paths[3].name=Admin Resources
> >>> keycloak.policy-enforcer-config.paths[3].path=/admin/*
> >>>
> >>>
> keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
> >>>
> >>>
> keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
> >>>
> >>>
> >>>
> >>>
> META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
> >>>
> ------------------------------------------------------------------------
> >>>
> >>>
> dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
More information about the keycloak-user
mailing list