Re: [keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called.

On 1 Feb 2019, at 14:35, Dmitry Telegin <dt(a)acutus.pro&gt; wrote: Oh, no need for Alexey to go to keycloak-dev, since Pedro is already here :) Please see my answer above, I've been able to reproduce the issue and trace it down to the AbstractPolicyEnforcer::getClaims(). Dmitry On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote: > Hi, > > Could you share the code for your custom CIP, please ? Are you sure the > factory's name is the same as what you defined in your adapter > configuration ? > > Regards. > Pedro Igor > > On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko <titorenko(a)dtg.technology&gt; > wrote: > >> Hello guys! >> >> Can someone help me please with the following problem. >> >> I need to configure context based access control for my REST-service, when >> attributes of the protected resources are pushed to Keycloak server for >> policy evaluation. Protected service is built on Spring Boot. >> >> I’ve configured the system and all works fine with OOTB Claim Information >> Point provider ‘claims’. But I need a custom one. And this custom CIP is >> not working. I see from the debug logging, that policy enforcer calls >> ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’, >> thus, never instantiates the CIP. >> >> Below are application.properties for Spring boot and CIP config file. My >> custom CIP Provider has ‘document’ name. I call both /documents/- Get an >> >> Thank you, >> Alexey >> >> application.properties >> ---------------------------------- >> svc.name=docs-uma >> server.port = 8085 >> keycloak.realm=DemoApp >> keycloak.auth-server-url=http://localhost:8180/auth >> keycloak.ssl-required=external >> keycloak.resource=docs-svc-uma >> keycloak.cors=true >> keycloak.use-resource-role-mappings=true >> keycloak.verify-token-audience=false >> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a >> keycloak.confidential-port=0 >> keycloak.bearer-only=true >> >> keycloak.securityConstraints[0].securityCollections[0].name = secured >> operation >> keycloak.securityConstraints[0].authRoles[0] = user >> keycloak.securityConstraints[0].securityCollections[0].patterns[0] = >> /documents >> keycloak.securityConstraints[0].securityCollections[0].patterns[1] = >> /documents/ >> >> keycloak.securityConstraints[1].securityCollections[0].name = admin >> operation >> keycloak.securityConstraints[1].authRoles[0] = admin >> keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin >> keycloak.securityConstraints[1].securityCollections[0].patterns[1] = >> /admin/ >> >> logging.level.org.keycloak=DEBUG >> >> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG >> >> # policy enforcer >> keycloak.policy-enforcer-config.lazy-load-paths=true >> keycloak.policy-enforcer-config.on-deny-redirect-to=/public >> >> keycloak.policy-enforcer-config.paths[0].name=Public Resources >> keycloak.policy-enforcer-config.paths[0].path=/* >> >> keycloak.policy-enforcer-config.paths[1].name=Document creation >> keycloak.policy-enforcer-config.paths[1].path=/documents/* >> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST >> >> keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create >> >> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method} >> >> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method} >> >> keycloak.policy-enforcer-config.paths[2].name=Document List >> keycloak.policy-enforcer-config.paths[2].path=/documents >> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET >> >> keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list >> >> keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method} >> >> keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method} >> >> keycloak.policy-enforcer-config.paths[3].name=Admin Resources >> keycloak.policy-enforcer-config.paths[3].path=/admin/* >> >> keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri} >> >> keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri} >> >> >> >> META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory >> ------------------------------------------------------------------------ >> >> dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user