[keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called.
Alexey Titorenko
titorenko at dtg.technology
Thu Jan 31 10:47:20 EST 2019
Hello guys!
Can someone help me please with the following problem.
I need to configure context based access control for my REST-service, when attributes of the protected resources are pushed to Keycloak server for policy evaluation. Protected service is built on Spring Boot.
I’ve configured the system and all works fine with OOTB Claim Information Point provider ‘claims’. But I need a custom one. And this custom CIP is not working. I see from the debug logging, that policy enforcer calls ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’, thus, never instantiates the CIP.
Below are application.properties for Spring boot and CIP config file. My custom CIP Provider has ‘document’ name. I call both /documents/- Get an
Thank you,
Alexey
application.properties
----------------------------------
svc.name=docs-uma
server.port = 8085
keycloak.realm=DemoApp
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.ssl-required=external
keycloak.resource=docs-svc-uma
keycloak.cors=true
keycloak.use-resource-role-mappings=true
keycloak.verify-token-audience=false
keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
keycloak.confidential-port=0
keycloak.bearer-only=true
keycloak.securityConstraints[0].securityCollections[0].name = secured operation
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents
keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/
keycloak.securityConstraints[1].securityCollections[0].name = admin operation
keycloak.securityConstraints[1].authRoles[0] = admin
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/
logging.level.org.keycloak=DEBUG
logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
# policy enforcer
keycloak.policy-enforcer-config.lazy-load-paths=true
keycloak.policy-enforcer-config.on-deny-redirect-to=/public
keycloak.policy-enforcer-config.paths[0].name=Public Resources
keycloak.policy-enforcer-config.paths[0].path=/*
keycloak.policy-enforcer-config.paths[1].name=Document creation
keycloak.policy-enforcer-config.paths[1].path=/documents/*
keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[2].name=Document List
keycloak.policy-enforcer-config.paths[2].path=/documents
keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[3].name=Admin Resources
keycloak.policy-enforcer-config.paths[3].path=/admin/*
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
------------------------------------------------------------------------
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
More information about the keycloak-user
mailing list