I'm afraid it's too late to include new things for 2.5.
On 13 February 2017 at 12:16, Stefan Schlesinger <sts(a)ono.at> wrote:
Hi Stian,
is this something which could make it into one of the next 2.5 releases
(especially,
because 2.5 should be a version included in redhat, IIRC)?
A working integration with mod_auth_openidc would be essential.
Best,
Stefan.
> On 02 Feb 2017, at 07:10, Stian Thorgersen <sthorger(a)redhat.com> wrote:
>
> It should support multi-valued and mapping to a array rather than a
comma-separated list.
>
> On 1 February 2017 at 21:06, Stefan Schlesinger <sts(a)ono.at> wrote:
> Hello,
>
> it looks like its currently not possible to use mod_auth_openidc with
Keycloak for authorization of legacy applications. The current workaround
described by mod_auth_openidc is to use OpenID Connect for authentication
and use the apache ldap module for authorization, which is a rather ugly
workaround IMHO.
>
> The problem currently is twofold:
>
> 1) One can use mod_auth_openidc to verify claims, but it doesn’t come
with JSON path support[1], so matching the claims in realm_access.roles
isn’t possible, only arrays in a flat JSON tree are supported[2].
>
> 2) This wouldn’t cause any issues, as Keycloak comes with a User Realm
Role mapper, which is able to map roles to a different key (in my example
below the key is ‘roles’).
>
> {
> "jti": "01667279-a161-47ae-a093-b08643a1b7b5",
> "exp": 1485977685,
> …
> "realm_access": {
> "roles": [
> “application_x",
> “application_y",
> "uma_authorization",
> ]
> },
> "roles": “[application_x, application_y, uma_authorization]",
> }
>
> The problem with the mapper is that the value of roles, is served as a
string instead of an array and mod_auth_openidc cannot handle this
properly[3].
>
> Btw. the same thing goes for the User Client Role mapper! Which looks
like this:
>
> {
> "client_role": "[login]”
> }
>
> An issue for this has already been created:
https://issues.jboss.org/
browse/KEYCLOAK-4205
>
> It would be so great to get this fixed in the next release!!
>
> Best,
>
> Stefan.
>
>
> [1]
https://groups.google.com/forum/#!topic/mod_auth_openidc/QOMMYeXt5Jc
> [2]
https://github.com/pingidentity/mod_auth_openidc/
blob/master/src/authz.c#L85
> [3]
https://github.com/pingidentity/mod_auth_openidc/
blob/master/src/authz.c#L67
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev