[keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called.

Dmitry Telegin dt at acutus.pro
Fri Feb 1 13:37:21 EST 2019 

Cheers, kudos and thumbs up :) Dmitry

On Fri, 2019-02-01 at 16:32 -0200, Pedro Igor Silva wrote:
> I've created https://issues.jboss.org/browse/KEYCLOAK-9478. Dmitry is
> right and I sent a PR with a fix. Tests were also included for custom
> CIPs.
> 
> Regards.
> Pedro Igor
> 
> On Fri, Feb 1, 2019 at 12:03 PM Alexey Titorenko <titorenko at dtg.techn
> ology> wrote:
> > Thank you, guys!
> > 
> > 
> > > On 1 Feb 2019, at 14:35, Dmitry Telegin <dt at acutus.pro> wrote:
> > > 
> > > Oh, no need for Alexey to go to keycloak-dev, since Pedro is
> > already here :)
> > > 
> > > Please see my answer above, I've been able to reproduce the issue
> > and trace it down to the AbstractPolicyEnforcer::getClaims().
> > > 
> > > Dmitry
> > > 
> > > On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote:
> > >> Hi,
> > >> 
> > >> Could you share the code for your custom CIP, please ? Are you
> > sure the
> > >> factory's name is the same as what you defined in your adapter
> > >> configuration ?
> > >> 
> > >> Regards.
> > >> Pedro Igor
> > >> 
> > >> On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko <titorenko at dtg.
> > technology>
> > >> wrote:
> > >> 
> > >>> Hello guys!
> > >>> 
> > >>> Can someone help me please with the following problem.
> > >>> 
> > >>> I need to configure context based access control for my REST-
> > service, when
> > >>> attributes of the protected resources are pushed to Keycloak
> > server for
> > >>> policy evaluation. Protected service is built on Spring Boot.
> > >>> 
> > >>> I’ve configured the system and all works fine with OOTB Claim
> > Information
> > >>> Point provider ‘claims’. But I need a custom one. And this
> > custom CIP is
> > >>> not working. I see from the debug logging, that policy enforcer
> > calls
> > >>> ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls
> > ‘create()’,
> > >>> thus, never instantiates the CIP.
> > >>> 
> > >>> Below are application.properties for Spring boot and CIP config
> > file. My
> > >>> custom CIP Provider has ‘document’ name. I call both
> > /documents/- Get an
> > >>> 
> > >>> Thank you,
> > >>> Alexey
> > >>> 
> > >>> application.properties
> > >>> ----------------------------------
> > >>> svc.name=docs-uma
> > >>> server.port = 8085
> > >>> keycloak.realm=DemoApp
> > >>> keycloak.auth-server-url=http://localhost:8180/auth
> > >>> keycloak.ssl-required=external
> > >>> keycloak.resource=docs-svc-uma
> > >>> keycloak.cors=true
> > >>> keycloak.use-resource-role-mappings=true
> > >>> keycloak.verify-token-audience=false
> > >>> keycloak.credentials.secret=0e55734e-aadc-4268-8757-
> > b5dca453980a
> > >>> keycloak.confidential-port=0
> > >>> keycloak.bearer-only=true
> > >>> 
> > >>> keycloak.securityConstraints[0].securityCollections[0].name =
> > secured
> > >>> operation
> > >>> keycloak.securityConstraints[0].authRoles[0] = user
> > >>>
> > keycloak.securityConstraints[0].securityCollections[0].patterns[0]
> > =
> > >>> /documents
> > >>>
> > keycloak.securityConstraints[0].securityCollections[0].patterns[1]
> > =
> > >>> /documents/
> > >>> 
> > >>> keycloak.securityConstraints[1].securityCollections[0].name =
> > admin
> > >>> operation
> > >>> keycloak.securityConstraints[1].authRoles[0] = admin
> > >>>
> > keycloak.securityConstraints[1].securityCollections[0].patterns[0]
> > = /admin
> > >>>
> > keycloak.securityConstraints[1].securityCollections[0].patterns[1]
> > =
> > >>> /admin/
> > >>> 
> > >>> logging.level.org.keycloak=DEBUG
> > >>> 
> > >>>
> > logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloa
> > k.cip=DEBUG
> > >>> 
> > >>> # policy enforcer
> > >>> keycloak.policy-enforcer-config.lazy-load-paths=true
> > >>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
> > >>> 
> > >>> keycloak.policy-enforcer-config.paths[0].name=Public Resources
> > >>> keycloak.policy-enforcer-config.paths[0].path=/*
> > >>> 
> > >>> keycloak.policy-enforcer-config.paths[1].name=Document creation
> > >>> keycloak.policy-enforcer-config.paths[1].path=/documents/*
> > >>> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
> > >>> 
> > >>> keycloak.policy-enforcer-
> > config.paths[1].methods[0].scopes[0]=urn:docs-svc-
> > uma:resources:documents:create
> > >>> 
> > >>> keycloak.policy-enforcer-
> > config.paths[1].claimInformationPointConfig.claims[test]={request.m
> > ethod}
> > >>> 
> > >>> keycloak.policy-enforcer-
> > config.paths[1].claimInformationPointConfig.document[uri]={request.
> > method}
> > >>> 
> > >>> keycloak.policy-enforcer-config.paths[2].name=Document List
> > >>> keycloak.policy-enforcer-config.paths[2].path=/documents
> > >>> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
> > >>> 
> > >>> keycloak.policy-enforcer-
> > config.paths[2].methods[0].scopes[0]=urn:docs-svc-
> > uma:resources:documents:list
> > >>> 
> > >>> keycloak.policy-enforcer-
> > config.paths[2].claimInformationPointConfig.claims[test]={request.m
> > ethod}
> > >>> 
> > >>> keycloak.policy-enforcer-
> > config.paths[2].claimInformationPointConfig.document[uri]={request.
> > method}
> > >>> 
> > >>> keycloak.policy-enforcer-config.paths[3].name=Admin Resources
> > >>> keycloak.policy-enforcer-config.paths[3].path=/admin/*
> > >>> 
> > >>> keycloak.policy-enforcer-
> > config.paths[3].claimInformationPointConfig.claims[some-
> > claim]={request.uri}
> > >>> 
> > >>> keycloak.policy-enforcer-
> > config.paths[3].claimInformationPointConfig.claims[claims-from-
> > document]={request.uri}
> > >>> 
> > >>> 
> > >>> 
> > >>> META-
> > INF/services/org.keycloak.adapters.authorization.ClaimInformationPo
> > intProviderFactory
> > >>> -------------------------------------------------------------
> > -----------
> > >>> 
> > >>>
> > dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.Document
> > CIPProviderFactory
> > >>> 
> > >>> _______________________________________________
> > >>> keycloak-user mailing list
> > >>> keycloak-user at lists.jboss.org
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >> 
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> >

More information about the keycloak-user mailing list