9:45 p.m.
Hi. I've just tried to make it working again but failed. I defined all
resources in keycloak and add appropriate configs to keycloak.json for
adapter.
I used default configs for adapter spring beans, taken from docs:
...
<security:http auto-config="false"
entry-point-ref="keycloakAuthenticationEntryPoint">
<security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
<security:custom-filter
ref="keycloakAuthenticationProcessingFilter"
before="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/**"
access="ROLE_USER"/>
<security:custom-filter ref="logoutFilter"
position="LOGOUT_FILTER" />
</security:http>
example of spring controller:
@RestController
public class ProfileController {
@RequestMapping(method = RequestMethod.GET, value = "/profile")
public AccessToken getUserByToken() throws KeycloakApiException {
Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
KeycloakPrincipal principal = (KeycloakPrincipal)
auth.getPrincipal();
return principal.getKeycloakSecurityContext().getToken();
}
...
}
Application is running on localhost:8080/apps/{spring-endpoint}, so
spring-root is localhost:8080/apps, and i set this url as base in client
settings in keycloak.
So far the most strange for me is that adapter doesn't print any logs
related to authorization during requests, i see only this:
DEBUG org.keycloak.adapters.PreAuthActionsHandler -
adminRequesthttp://localhost:8080/apps/profile
<http://localhost:8080/apps/profile>
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Request is to process authentication
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Attempting Keycloak authentication
DEBUG
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator
- Completing bearer authentication. Bearer roles: [ROLE_USER, ROLE_ADMIN]
DEBUG org.keycloak.adapters.RequestAuthenticator - User
'aa93b5d9-f02a-4557-a8b6-c7f083475bd5' invoking
'http://localhost:8080/apps/profile
<http://localhost:8080/apps/profile>' on client 'apps-backend'
DEBUG org.keycloak.adapters.RequestAuthenticator - Bearer AUTHENTICATED
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Auth outcome: AUTHENTICATED
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Authentication success using bearer token/basic authentication.
Updating SecurityContextHolder to contain:
org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken@4259cc27:
Principal: aa93b5d9-f02a-4557-a8b6-c7f083475bd5; Credentials:
[PROTECTED]; Authenticated: true; Details:
org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount@c4e0280;
Granted Authorities: KeycloakRole{role='ROLE_USER'},
KeycloakRole{role='ROLE_ADMIN'}
keycloak.json: ===========================================
{
"realm": "test",
"auth-server-url": "http://localhost:8081/auth",
"ssl-required": "external",
"resource": "apps-backend",
"bearer-only": true,
"credentials": {
"secret": "74070785-cabf-4d28-83d7-f2dc31f081f5"
},
"policy-enforcer": {
"user-managed-access": {},
"enforcement-mode" : "ENFORCING",
"paths": [
{
"name": "User Info",
"path" : "/profile/userinfo",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:userinfo:view"]
},
{
"method": "POST",
"scopes" : ["urn:apps-backend:scopes:userinfo:edit"]
}
]
},
{
"name" : "User Permissions",
"path" : "/profile/permissions",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:permissions:view"]
}
]
},
{
"name" : "User Profile",
"path" : "/profile",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:profile:view"]
}
]
},
{
"name" : "User Token",
"path" : "/profile/token"
},
{
"name" : "User Id Token"
}
]
}
}
keycloak-server authz-dump:=====================================
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "User Info",
"uri": "/profile/userinfo",
"type": "urn:apps-backend:resources:profile:userinfo",
"scopes": [
{
"name": "urn:apps-backend:scopes:userinfo:edit"
},
{
"name": "urn:apps-backend:scopes:userinfo:view"
}
],
"typedScopes": []
},
{
"name": "User Profile",
"uri": "/profile",
"type": "urn:apps-backend:resources:profile",
"scopes": [
{
"name": "urn:apps-backend:scopes:profile:view"
}
],
"typedScopes": []
},
{
"name": "User Permissions",
"uri": "/profile/permissions",
"type": "urn:apps-backend:resources:profile:permissions",
"scopes": [
{
"name": "urn:apps-backend:scopes:permissions:view"
}
],
"typedScopes": []
},
{
"name": "User Token",
"uri": "/profile/token",
"type": "urn:apps-backend:resources:profile:token",
"typedScopes": []
},
{
"name": "User Id Token",
"uri": "/profile/idtoken",
"type": "urn:apps-backend:resources:profile:idtoken",
"typedScopes": []
}
],
"policies": [
{
"name": "Is user",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles":
"[{\"id\":\"ROLE_USER\",\"required\":true}]"
}
},
{
"name": "Is merchant",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles":
"[{\"id\":\"ROLE_MERCHANT\",\"required\":true}]"
}
},
{
"name": "Edit User Info",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Info\"]",
"scopes":
"[\"urn:apps-backend:scopes:userinfo:edit\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View User Permissions",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Permissions\"]",
"scopes":
"[\"urn:apps-backend:scopes:permissions:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View User Info",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Info\"]",
"scopes":
"[\"urn:apps-backend:scopes:userinfo:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View Profile",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Profile\"]",
"scopes":
"[\"urn:apps-backend:scopes:profile:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "Access Profile",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Profile\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "Token Access",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Token\"]",
"applyPolicies": "[\"Is merchant\"]"
}
}
],
"scopes": [
{
"name": "urn:apps-backend:scopes:permissions:view"
},
{
"name": "urn:apps-backend:scopes:userinfo:view"
},
{
"name": "urn:apps-backend:scopes:userinfo:edit"
},
{
"name": "urn:apps-backend:scopes:profile:view"
}
]
}
On 28.03.2017 00:02, ebondu wrote:
Илья Король wrote
> Hi. Thanks for comment. Please could you share you configs or at least
> what methods did you use? manual configuration in keycloak.json or
> relying on resources defined in keycloak?
Both, all resources are defined in the keycloak.json (methods paths) and
also as resources in the keycloak server
Илья Король wrote
> And correct me if i'm wrong:
>
> Authorization require RPT token, so for bearer-only client (backend) i
> must provide this token, which is preliminary retrieved via Entitlement
> api or UMA protocol?
You are right, I am using UMA protocol but it should also works with
Entitlement.
Илья Король wrote
> And how should be configured client in keycloak? as bearer-only or
> confidential? As i said my application started only if i configured it
> in keycloak as confidential (if make it as bearer-only it fails to start
> and complains to credentials)
I configured the client as confidential.
Илья Король wrote
> Another thing that i didn't catch is resource method configuration (for
> instance):
> { "method": "DELETE", "scopes" :
["urn:app.com:scopes:delete"] }
> If i configure adapter to retrieve all resource settings from keycloak how
> can i configure methods for resources and its scopes in Keycloak Admin
> Console?
Methods and associated scopes are configured in the keycloak.json only.
Resources, scopes and associated policies are defined in keycloak.
A small extract from the conf :
keycloak.json :
{
"realm": "...",
"resource": "backend",
...
"bearer-only": true,
...
"policy-enforcer": {
"create-resources":false,
"user-managed-access": {
},
"enforcement-mode": "ENFORCING",
"paths": [
{
"path": "/yourMethod",
"methods": [
{
"method": "POST",
"scopes": [
"urn:app:scopes:create"
]
},
...
}
]
}
}
realm authz json :
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "My Resource",
"uri": "/myMethod",
"scopes": [
{
"name": "urn:app:scopes:create"
},
...
}],
"policies": [...your policies],
"scopes": [
{
"name": "urn:app:scopes:create"
},
...
]
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Policy-Enforcer-in...
Sent from the keycloak-user mailing list archive at Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user