Oh, no need for Alexey to go to keycloak-dev, since Pedro is already here :)
Please see my answer above, I've been able to reproduce the issue and trace it down to
the AbstractPolicyEnforcer::getClaims().
Dmitry
On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote:
Hi,
Could you share the code for your custom CIP, please ? Are you sure the
factory's name is the same as what you defined in your adapter
configuration ?
Regards.
Pedro Igor
On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko <titorenko(a)dtg.technology>
wrote:
> Hello guys!
>
> Can someone help me please with the following problem.
>
> I need to configure context based access control for my REST-service, when
> attributes of the protected resources are pushed to Keycloak server for
> policy evaluation. Protected service is built on Spring Boot.
>
> I’ve configured the system and all works fine with OOTB Claim Information
> Point provider ‘claims’. But I need a custom one. And this custom CIP is
> not working. I see from the debug logging, that policy enforcer calls
> ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’,
> thus, never instantiates the CIP.
>
> Below are application.properties for Spring boot and CIP config file. My
> custom CIP Provider has ‘document’ name. I call both /documents/- Get an
>
> Thank you,
> Alexey
>
> application.properties
> ----------------------------------
> svc.name=docs-uma
> server.port = 8085
> keycloak.realm=DemoApp
> keycloak.auth-server-url=http://localhost:8180/auth
> keycloak.ssl-required=external
> keycloak.resource=docs-svc-uma
> keycloak.cors=true
> keycloak.use-resource-role-mappings=true
> keycloak.verify-token-audience=false
> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
> keycloak.confidential-port=0
> keycloak.bearer-only=true
>
> keycloak.securityConstraints[0].securityCollections[0].name = secured
> operation
> keycloak.securityConstraints[0].authRoles[0] = user
> keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
> /documents
> keycloak.securityConstraints[0].securityCollections[0].patterns[1] =
> /documents/
>
> keycloak.securityConstraints[1].securityCollections[0].name = admin
> operation
> keycloak.securityConstraints[1].authRoles[0] = admin
> keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
> keycloak.securityConstraints[1].securityCollections[0].patterns[1] =
> /admin/
>
> logging.level.org.keycloak=DEBUG
>
> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
>
> # policy enforcer
> keycloak.policy-enforcer-config.lazy-load-paths=true
> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
>
> keycloak.policy-enforcer-config.paths[0].name=Public Resources
> keycloak.policy-enforcer-config.paths[0].path=/*
>
> keycloak.policy-enforcer-config.paths[1].name=Document creation
> keycloak.policy-enforcer-config.paths[1].path=/documents/*
> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
>
>
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
>
>
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
>
>
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
>
> keycloak.policy-enforcer-config.paths[2].name=Document List
> keycloak.policy-enforcer-config.paths[2].path=/documents
> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
>
>
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
>
>
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
>
>
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
>
> keycloak.policy-enforcer-config.paths[3].name=Admin Resources
> keycloak.policy-enforcer-config.paths[3].path=/admin/*
>
>
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
>
>
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
>
>
>
>
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
> ------------------------------------------------------------------------
>
>
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user