Re: [keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called.

Hello guys! Can someone help me please with the following problem. I need to configure context based access control for my REST-service, when attributes of the protected resources are pushed to Keycloak server for policy evaluation. Protected service is built on Spring Boot. I’ve configured the system and all works fine with OOTB Claim Information Point provider ‘claims’. But I need a custom one. And this custom CIP is not working. I see from the debug logging, that policy enforcer calls ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’, thus, never instantiates the CIP. Below are application.properties for Spring boot and CIP config file. My custom CIP Provider has ‘document’ name. I call both /documents/- Get an Thank you, Alexey application.properties ---------------------------------- svc.name=docs-uma server.port = 8085 keycloak.realm=DemoApp keycloak.auth-server-url=http://localhost:8180/auth keycloak.ssl-required=external keycloak.resource=docs-svc-uma keycloak.cors=true keycloak.use-resource-role-mappings=true keycloak.verify-token-audience=false keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a keycloak.confidential-port=0 keycloak.bearer-only=true keycloak.securityConstraints[0].securityCollections[0].name = secured operation keycloak.securityConstraints[0].authRoles[0] = user keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/ keycloak.securityConstraints[1].securityCollections[0].name = admin operation keycloak.securityConstraints[1].authRoles[0] = admin keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/ logging.level.org.keycloak=DEBUG logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG # policy enforcer keycloak.policy-enforcer-config.lazy-load-paths=true keycloak.policy-enforcer-config.on-deny-redirect-to=/public keycloak.policy-enforcer-config.paths[0].name=Public Resources keycloak.policy-enforcer-config.paths[0].path=/* keycloak.policy-enforcer-config.paths[1].name=Document creation keycloak.policy-enforcer-config.paths[1].path=/documents/* keycloak.policy-enforcer-config.paths[1].methods[0].method=POST keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method} keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method} keycloak.policy-enforcer-config.paths[2].name=Document List keycloak.policy-enforcer-config.paths[2].path=/documents keycloak.policy-enforcer-config.paths[2].methods[0].method=GET keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method} keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method} keycloak.policy-enforcer-config.paths[3].name=Admin Resources keycloak.policy-enforcer-config.paths[3].path=/admin/* keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri} keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri} META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory ------------------------------------------------------------------------ dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user