. Dmitry is right
and I sent a PR with a fix. Tests were also included for custom CIPs.
Regards.
Pedro Igor
On Fri, Feb 1, 2019 at 12:03 PM Alexey Titorenko <titorenko(a)dtg.technology>
wrote:
Thank you, guys!
> On 1 Feb 2019, at 14:35, Dmitry Telegin <dt(a)acutus.pro> wrote:
>
> Oh, no need for Alexey to go to keycloak-dev, since Pedro is already
here :)
>
> Please see my answer above, I've been able to reproduce the issue and
trace it down to the AbstractPolicyEnforcer::getClaims().
>
> Dmitry
>
> On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote:
>> Hi,
>>
>> Could you share the code for your custom CIP, please ? Are you sure the
>> factory's name is the same as what you defined in your adapter
>> configuration ?
>>
>> Regards.
>> Pedro Igor
>>
>> On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko
<titorenko(a)dtg.technology>
>> wrote:
>>
>>> Hello guys!
>>>
>>> Can someone help me please with the following problem.
>>>
>>> I need to configure context based access control for my REST-service,
when
>>> attributes of the protected resources are pushed to Keycloak server for
>>> policy evaluation. Protected service is built on Spring Boot.
>>>
>>> I’ve configured the system and all works fine with OOTB Claim
Information
>>> Point provider ‘claims’. But I need a custom one. And this custom CIP
is
>>> not working. I see from the debug logging, that policy enforcer calls
>>> ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls
‘create()’,
>>> thus, never instantiates the CIP.
>>>
>>> Below are application.properties for Spring boot and CIP config file.
My
>>> custom CIP Provider has ‘document’ name. I call both /documents/- Get
an
>>>
>>> Thank you,
>>> Alexey
>>>
>>> application.properties
>>> ----------------------------------
>>> svc.name=docs-uma
>>> server.port = 8085
>>> keycloak.realm=DemoApp
>>> keycloak.auth-server-url=http://localhost:8180/auth
>>> keycloak.ssl-required=external
>>> keycloak.resource=docs-svc-uma
>>> keycloak.cors=true
>>> keycloak.use-resource-role-mappings=true
>>> keycloak.verify-token-audience=false
>>> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
>>> keycloak.confidential-port=0
>>> keycloak.bearer-only=true
>>>
>>> keycloak.securityConstraints[0].securityCollections[0].name = secured
>>> operation
>>> keycloak.securityConstraints[0].authRoles[0] = user
>>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
>>> /documents
>>> keycloak.securityConstraints[0].securityCollections[0].patterns[1] =
>>> /documents/
>>>
>>> keycloak.securityConstraints[1].securityCollections[0].name = admin
>>> operation
>>> keycloak.securityConstraints[1].authRoles[0] = admin
>>> keycloak.securityConstraints[1].securityCollections[0].patterns[0] =
/admin
>>> keycloak.securityConstraints[1].securityCollections[0].patterns[1] =
>>> /admin/
>>>
>>> logging.level.org.keycloak=DEBUG
>>>
>>>
logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
>>>
>>> # policy enforcer
>>> keycloak.policy-enforcer-config.lazy-load-paths=true
>>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
>>>
>>> keycloak.policy-enforcer-config.paths[0].name=Public Resources
>>> keycloak.policy-enforcer-config.paths[0].path=/*
>>>
>>> keycloak.policy-enforcer-config.paths[1].name=Document creation
>>> keycloak.policy-enforcer-config.paths[1].path=/documents/*
>>> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
>>>
>>>
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
>>>
>>>
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
>>>
>>>
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
>>>
>>> keycloak.policy-enforcer-config.paths[2].name=Document List
>>> keycloak.policy-enforcer-config.paths[2].path=/documents
>>> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
>>>
>>>
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
>>>
>>>
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
>>>
>>>
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
>>>
>>> keycloak.policy-enforcer-config.paths[3].name=Admin Resources
>>> keycloak.policy-enforcer-config.paths[3].path=/admin/*
>>>
>>>
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
>>>
>>>
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
>>>
>>>
>>>
>>>
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
>>>
------------------------------------------------------------------------
>>>
>>>
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user