<div dir="ltr">Hi Pedro,<div><br></div><div>Thanks for the extra-information.</div><div><br></div><div>>> Stian, we use Play Framework in Java</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-08-30 0:15 GMT+10:00 Pedro Igor Silva <span dir="ltr"><<a href="mailto:psilva@redhat.com" target="_blank">psilva@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">+1.<br>
<br>
Like I said, right now our authz engine is not fully integrated with KC server. However, I think the requirement can be achieved by:<br>
<br>
- Authentication SPI. In this case, you don't necessarily need authz services but just check roles in your authenticator<br>
- Authentication SPI + AuthorizationProvider. I've never tested this (maybe is time to start looking at it), but in theory you should be able to obtain an AuthorizationProvider from KeycloakSession and use it to perform evaluations.<br>
<br>
For #2, I need to spend some time testing this scenario and documenting our Authorization API for those looking to use our authz engine when extending KC.<br>
<div class="HOEnZb"><div class="h5"><br>
----- Original Message -----<br>
From: "Stian Thorgersen" <<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>><br>
To: "Edouard Kaiser" <<a href="mailto:edouard.kaiser@gmail.com">edouard.kaiser@gmail.com</a>><br>
Cc: "Pedro Igor Silva" <<a href="mailto:psilva@redhat.com">psilva@redhat.com</a>>, "keycloak-user" <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><wbr>><br>
Sent: Monday, August 29, 2016 10:55:36 AM<br>
Subject: Re: [keycloak-user] Authorization at Keycloak level<br>
<br>
Pedro knows more about this, but the code required to do the checks should<br>
be pretty simple. What language and app type do you have?<br>
<br>
On 27 August 2016 at 05:05, Edouard Kaiser <<a href="mailto:edouard.kaiser@gmail.com">edouard.kaiser@gmail.com</a>> wrote:<br>
<br>
> Hi Pedro,<br>
><br>
> Thank you very much for your answer. Unfortunately that's what I was<br>
> afraid. The problem is, we don't have a classic Java/Servlet application,<br>
> so we can't use any of the Keycloak adapter available.<br>
><br>
> We might have to turn to another solution like Auth0.com which offers an<br>
> integrated authorization plugin, unless we find the courage to write our<br>
> own adapter.<br>
><br>
> Cheers,<br>
><br>
> 2016-08-26 22:43 GMT+10:00 Pedro Igor Silva <<a href="mailto:psilva@redhat.com">psilva@redhat.com</a>>:<br>
><br>
>> Hello Edouard,<br>
>><br>
>> Right now, policy enforcement is only performed on application-side. For<br>
>> that, you need to enable policy enforcement to your keyclok.json as follows:<br>
>><br>
>> {<br>
>> "policy-enforcer": {}<br>
>> }<br>
>><br>
>> For more details, please take a look at [1].<br>
>><br>
>> We don't enforce policies on server-side, at least for now. The user will<br>
>> always be able to log in and be redirect to your application with a<br>
>> code/token.<br>
>><br>
>> @Stian already mentioned some ideas about a more deeper integrating<br>
>> between KC authentication and authorization services. But for now, what you<br>
>> want is not possible.<br>
>><br>
>> [1] <a href="https://keycloak.gitbooks.io/authorization-services-guide/co" rel="noreferrer" target="_blank">https://keycloak.gitbooks.io/<wbr>authorization-services-guide/<wbr>co</a><br>
>> ntent/topics/enforcer/<wbr>overview.html<br>
>><br>
>> ----- Original Message -----<br>
>> From: "Edouard Kaiser" <<a href="mailto:edouard.kaiser@gmail.com">edouard.kaiser@gmail.com</a>><br>
>> To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
>> Sent: Thursday, August 25, 2016 10:02:32 PM<br>
>> Subject: [keycloak-user] Authorization at Keycloak level<br>
>><br>
>> Hi everyone,<br>
>><br>
>> We discovered Keycloak very recently (pretty impressive tool by the way,<br>
>> congrats to the maintainers!), and we've been trying to configure a very<br>
>> simple authorization at the Keycloak level without success.<br>
>><br>
>> Let me try to sum up what we are trying to achieve in our web-application.<br>
>><br>
>> For a Keycloak Client, we would like to only allow the users with a<br>
>> particular Role to be able to login.<br>
>><br>
>> We thought that to achieve this, we needed to do this:<br>
>> - Authorization enabled on the client<br>
>> - Create a new Role-Based policy ton a particular role<br>
>> - Create a Resource Permission to use the previously created Policy<br>
>> - Use this Resource Permission in the Default Resource of the Client<br>
>><br>
>> We use openid-connect, and more specifically Google as the identity<br>
>> provider.<br>
>><br>
>> By doing this, we thought that users without the role, trying to connect<br>
>> to our application through Keycloak, would be redirected to our application<br>
>> with an error of authentication, something like this in the redirection:<br>
>><br>
>> /login/oauthVerify?client_<wbr>name=OidcClient&error=<wbr>unauthorized<br>
>> &error_description=You%20are%<wbr>20not%20allowed%20to%20access%<br>
>> 20this%20application.&state=<wbr>CrsA9f9bEzLWyjQfT5PN43MPxl_<wbr>PfMgvXZDQrEzCHi8<br>
>><br>
>> Instead, it's like Keycloak does not check the Authorization<br>
>> configuration, it redirects to our webapp with a proper authorization code.<br>
>> Then the application is able to fetch the JWT successfully form the<br>
>> Keycloak token endpoint.<br>
>><br>
>> Did we miss something? Are we trying to solve our issue in the wrong way ?<br>
>><br>
>> Thank you all for your help,<br>
>><br>
>> ______________________________<wbr>_________________<br>
>> keycloak-user mailing list<br>
>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br>
>><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br>
><br>
</div></div></blockquote></div><br></div>