Hi Pedro,
Thank you very much for your answer. Unfortunately that's what I was
afraid. The problem is, we don't have a classic Java/Servlet application,
so we can't use any of the Keycloak adapter available.
We might have to turn to another solution like
which offers an
integrated authorization plugin, unless we find the courage to write our
own adapter.
Cheers,
2016-08-26 22:43 GMT+10:00 Pedro Igor Silva <psilva(a)redhat.com>:
Hello Edouard,
Right now, policy enforcement is only performed on application-side. For
that, you need to enable policy enforcement to your keyclok.json as follows:
{
"policy-enforcer": {}
}
For more details, please take a look at [1].
We don't enforce policies on server-side, at least for now. The user will
always be able to log in and be redirect to your application with a
code/token.
@Stian already mentioned some ideas about a more deeper integrating
between KC authentication and authorization services. But for now, what you
want is not possible.
[1]
https://keycloak.gitbooks.io/authorization-services-guide/
content/topics/enforcer/overview.html
----- Original Message -----
From: "Edouard Kaiser" <edouard.kaiser(a)gmail.com>
To: keycloak-user(a)lists.jboss.org
Sent: Thursday, August 25, 2016 10:02:32 PM
Subject: [keycloak-user] Authorization at Keycloak level
Hi everyone,
We discovered Keycloak very recently (pretty impressive tool by the way,
congrats to the maintainers!), and we've been trying to configure a very
simple authorization at the Keycloak level without success.
Let me try to sum up what we are trying to achieve in our web-application.
For a Keycloak Client, we would like to only allow the users with a
particular Role to be able to login.
We thought that to achieve this, we needed to do this:
- Authorization enabled on the client
- Create a new Role-Based policy ton a particular role
- Create a Resource Permission to use the previously created Policy
- Use this Resource Permission in the Default Resource of the Client
We use openid-connect, and more specifically Google as the identity
provider.
By doing this, we thought that users without the role, trying to connect
to our application through Keycloak, would be redirected to our application
with an error of authentication, something like this in the redirection:
/login/oauthVerify?client_name=OidcClient&error=unauthorized&error_
description=You%20are%20not%20allowed%20to%20access%
20this%20application.&state=CrsA9f9bEzLWyjQfT5PN43MPxl_PfMgvXZDQrEzCHi8
Instead, it's like Keycloak does not check the Authorization
configuration, it redirects to our webapp with a proper authorization code.
Then the application is able to fetch the JWT successfully form the
Keycloak token endpoint.
Did we miss something? Are we trying to solve our issue in the wrong way ?
Thank you all for your help,
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user