Hi,
If I understand your description correctly, this should work. And in
my quick tests, it seems to work. I might not be replicating
your setup perfectly though.
For example let's imagine we have a setup such that:
Client Policies [] // None
Plan Policies [Foo, Bar]
API Policies [Baz]
This ultimately flattens to a policy chain of:
Caller <-> [ Foo <-> Bar <-> Baz ] <-> API
So if your setup is (N of):
Plan [ Keycloak Auth ]
API [ Authz ]
This should always result in: Keycloak *then* Authz, passing roles as
defined in config.
If that isn't happening then there's a bug. I may may need to collect
some more information from you to see whether I can replicate the
issue.
Regards,
Marc
On 5 August 2017 at 01:21, Stephen Henrie <stephen(a)saasindustries.com> wrote:
My goal is minimize the amount of Apiman configuration that I need to do by
sharing a single, common authentication Plan using the Keycloak plugin
across all APIs while using an API specific authorization policy for each
individual API.
As such, I am trying to configure a single, global plan within Apiman that
can be used for ensuring authentication policy using the Keycloak plugin
which forwards all of my realm roles. This single plan would be assigned to
all of my APIs in the Org, which would allow me to only have to configure
the Keycloak realm information in one place. Then for each individual API, I
was hoping to add a single Authorization policy plugin configured with
endpoints and paths specific for each API.
Something like
Api1 ---> Keycloak Plan Abc
+---->Authorization Policy (123)
Api2 ---> Keycloak Plan Abc
+---->Authorization Policy (456)
When I do this and call one of the API endpoints, I am getting the following
error:
curl -k -H "Authorization: Bearer $T"
https://localhost:9443/apiman-gateway/chassi/chassi-tenant-bff/1.0/mytenants
{"type":"Other","failureCode":10010,"responseCode":0,"message":"No
roles
have been extracted during authentication. Make sure the authorization
policy comes *after* a compatible authentication policy in your
configuration.","headers":[]}
It would seem that the Keycloak plugin that is configured in the Plan
assigned to the API is not forwarding the realm roles to the Authentication
policy which is also assigned to the same API.
Is this by design? Do the authentication and authorization policies have to
be within the same entity (ie. Plan, Api, etc) and not passed out of a plan
to be used by downstream policies? If so, is there another way to configure
plans and policies that will allow me to accomplish my goal?
Thanks in advance!
Stephen
_______________________________________________
Apiman-user mailing list
Apiman-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/apiman-user