Hello guys!
Can someone help me please with the following problem.
I need to configure context based access control for my REST-service, when attributes of
the protected resources are pushed to Keycloak server for policy evaluation. Protected
service is built on Spring Boot.
I’ve configured the system and all works fine with OOTB Claim Information Point provider
‘claims’. But I need a custom one. And this custom CIP is not working. I see from the
debug logging, that policy enforcer calls ‘getName()’ and ‘init()’ on my CIP Factory, but
_never_ calls ‘create()’, thus, never instantiates the CIP.
Below are application.properties for Spring boot and CIP config file. My custom CIP
Provider has ‘document’ name. I call both /documents/- Get an
Thank you,
Alexey
application.properties
----------------------------------
svc.name=docs-uma
server.port = 8085
keycloak.realm=DemoApp
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.ssl-required=external
keycloak.resource=docs-svc-uma
keycloak.cors=true
keycloak.use-resource-role-mappings=true
keycloak.verify-token-audience=false
keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
keycloak.confidential-port=0
keycloak.bearer-only=true
keycloak.securityConstraints[0].securityCollections[0].name = secured operation
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents
keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/
keycloak.securityConstraints[1].securityCollections[0].name = admin operation
keycloak.securityConstraints[1].authRoles[0] = admin
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/
logging.level.org.keycloak=DEBUG
logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
# policy enforcer
keycloak.policy-enforcer-config.lazy-load-paths=true
keycloak.policy-enforcer-config.on-deny-redirect-to=/public
keycloak.policy-enforcer-config.paths[0].name=Public Resources
keycloak.policy-enforcer-config.paths[0].path=/*
keycloak.policy-enforcer-config.paths[1].name=Document creation
keycloak.policy-enforcer-config.paths[1].path=/documents/*
keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[2].name=Document List
keycloak.policy-enforcer-config.paths[2].path=/documents
keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[3].name=Admin Resources
keycloak.policy-enforcer-config.paths[3].path=/admin/*
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
------------------------------------------------------------------------
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory