9:47 a.m.
Hello guys!
Can someone help me please with the following problem.
I need to configure context based access control for my REST-service, when attributes of
the protected resources are pushed to Keycloak server for policy evaluation. Protected
service is built on Spring Boot.
I’ve configured the system and all works fine with OOTB Claim Information Point provider
‘claims’. But I need a custom one. And this custom CIP is not working. I see from the
debug logging, that policy enforcer calls ‘getName()’ and ‘init()’ on my CIP Factory, but
_never_ calls ‘create()’, thus, never instantiates the CIP.
Below are application.properties for Spring boot and CIP config file. My custom CIP
Provider has ‘document’ name. I call both /documents/- Get an
Thank you,
Alexey
application.properties
----------------------------------
svc.name=docs-uma
server.port = 8085
keycloak.realm=DemoApp
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.ssl-required=external
keycloak.resource=docs-svc-uma
keycloak.cors=true
keycloak.use-resource-role-mappings=true
keycloak.verify-token-audience=false
keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
keycloak.confidential-port=0
keycloak.bearer-only=true
keycloak.securityConstraints[0].securityCollections[0].name = secured operation
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents
keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/
keycloak.securityConstraints[1].securityCollections[0].name = admin operation
keycloak.securityConstraints[1].authRoles[0] = admin
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/
logging.level.org.keycloak=DEBUG
logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
# policy enforcer
keycloak.policy-enforcer-config.lazy-load-paths=true
keycloak.policy-enforcer-config.on-deny-redirect-to=/public
keycloak.policy-enforcer-config.paths[0].name=Public Resources
keycloak.policy-enforcer-config.paths[0].path=/*
keycloak.policy-enforcer-config.paths[1].name=Document creation
keycloak.policy-enforcer-config.paths[1].path=/documents/*
keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[2].name=Document List
keycloak.policy-enforcer-config.paths[2].path=/documents
keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[3].name=Admin Resources
keycloak.policy-enforcer-config.paths[3].path=/admin/*
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
------------------------------------------------------------------------
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
5:09 a.m.
Hi,
Could you share the code for your custom CIP, please ? Are you sure the
factory's name is the same as what you defined in your adapter
configuration ?
Regards.
Pedro Igor
On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko <titorenko(a)dtg.technology>
wrote:
Hello guys!
Can someone help me please with the following problem.
I need to configure context based access control for my REST-service, when
attributes of the protected resources are pushed to Keycloak server for
policy evaluation. Protected service is built on Spring Boot.
I’ve configured the system and all works fine with OOTB Claim Information
Point provider ‘claims’. But I need a custom one. And this custom CIP is
not working. I see from the debug logging, that policy enforcer calls
‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’,
thus, never instantiates the CIP.
Below are application.properties for Spring boot and CIP config file. My
custom CIP Provider has ‘document’ name. I call both /documents/- Get an
Thank you,
Alexey
application.properties
----------------------------------
svc.name=docs-uma
server.port = 8085
keycloak.realm=DemoApp
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.ssl-required=external
keycloak.resource=docs-svc-uma
keycloak.cors=true
keycloak.use-resource-role-mappings=true
keycloak.verify-token-audience=false
keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
keycloak.confidential-port=0
keycloak.bearer-only=true
keycloak.securityConstraints[0].securityCollections[0].name = secured
operation
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
/documents
keycloak.securityConstraints[0].securityCollections[0].patterns[1] =
/documents/
keycloak.securityConstraints[1].securityCollections[0].name = admin
operation
keycloak.securityConstraints[1].authRoles[0] = admin
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
keycloak.securityConstraints[1].securityCollections[0].patterns[1] =
/admin/
logging.level.org.keycloak=DEBUG
logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
# policy enforcer
keycloak.policy-enforcer-config.lazy-load-paths=true
keycloak.policy-enforcer-config.on-deny-redirect-to=/public
keycloak.policy-enforcer-config.paths[0].name=Public Resources
keycloak.policy-enforcer-config.paths[0].path=/*
keycloak.policy-enforcer-config.paths[1].name=Document creation
keycloak.policy-enforcer-config.paths[1].path=/documents/*
keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[2].name=Document List
keycloak.policy-enforcer-config.paths[2].path=/documents
keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[3].name=Admin Resources
keycloak.policy-enforcer-config.paths[3].path=/admin/*
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
------------------------------------------------------------------------
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:35 a.m.
Oh, no need for Alexey to go to keycloak-dev, since Pedro is already here :)
Please see my answer above, I've been able to reproduce the issue and trace it down to
the AbstractPolicyEnforcer::getClaims().
Dmitry
On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote:
Hi,
Could you share the code for your custom CIP, please ? Are you sure the
factory's name is the same as what you defined in your adapter
configuration ?
Regards.
Pedro Igor
On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko <titorenko(a)dtg.technology>
wrote:
> Hello guys!
>
> Can someone help me please with the following problem.
>
> I need to configure context based access control for my REST-service, when
> attributes of the protected resources are pushed to Keycloak server for
> policy evaluation. Protected service is built on Spring Boot.
>
> I’ve configured the system and all works fine with OOTB Claim Information
> Point provider ‘claims’. But I need a custom one. And this custom CIP is
> not working. I see from the debug logging, that policy enforcer calls
> ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’,
> thus, never instantiates the CIP.
>
> Below are application.properties for Spring boot and CIP config file. My
> custom CIP Provider has ‘document’ name. I call both /documents/- Get an
>
> Thank you,
> Alexey
>
> application.properties
> ----------------------------------
> svc.name=docs-uma
> server.port = 8085
> keycloak.realm=DemoApp
> keycloak.auth-server-url=http://localhost:8180/auth
> keycloak.ssl-required=external
> keycloak.resource=docs-svc-uma
> keycloak.cors=true
> keycloak.use-resource-role-mappings=true
> keycloak.verify-token-audience=false
> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
> keycloak.confidential-port=0
> keycloak.bearer-only=true
>
> keycloak.securityConstraints[0].securityCollections[0].name = secured
> operation
> keycloak.securityConstraints[0].authRoles[0] = user
> keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
> /documents
> keycloak.securityConstraints[0].securityCollections[0].patterns[1] =
> /documents/
>
> keycloak.securityConstraints[1].securityCollections[0].name = admin
> operation
> keycloak.securityConstraints[1].authRoles[0] = admin
> keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
> keycloak.securityConstraints[1].securityCollections[0].patterns[1] =
> /admin/
>
> logging.level.org.keycloak=DEBUG
>
> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
>
> # policy enforcer
> keycloak.policy-enforcer-config.lazy-load-paths=true
> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
>
> keycloak.policy-enforcer-config.paths[0].name=Public Resources
> keycloak.policy-enforcer-config.paths[0].path=/*
>
> keycloak.policy-enforcer-config.paths[1].name=Document creation
> keycloak.policy-enforcer-config.paths[1].path=/documents/*
> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
>
>
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
>
>
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
>
>
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
>
> keycloak.policy-enforcer-config.paths[2].name=Document List
> keycloak.policy-enforcer-config.paths[2].path=/documents
> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
>
>
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
>
>
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
>
>
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
>
> keycloak.policy-enforcer-config.paths[3].name=Admin Resources
> keycloak.policy-enforcer-config.paths[3].path=/admin/*
>
>
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
>
>
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
>
>
>
>
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
> ------------------------------------------------------------------------
>
>
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:03 a.m.
Thank you, guys!
On 1 Feb 2019, at 14:35, Dmitry Telegin <dt(a)acutus.pro> wrote:
Oh, no need for Alexey to go to keycloak-dev, since Pedro is already here :)
Please see my answer above, I've been able to reproduce the issue and trace it down
to the AbstractPolicyEnforcer::getClaims().
Dmitry
On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote:
> Hi,
>
> Could you share the code for your custom CIP, please ? Are you sure the
> factory's name is the same as what you defined in your adapter
> configuration ?
>
> Regards.
> Pedro Igor
>
> On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko <titorenko(a)dtg.technology>
> wrote:
>
>> Hello guys!
>>
>> Can someone help me please with the following problem.
>>
>> I need to configure context based access control for my REST-service, when
>> attributes of the protected resources are pushed to Keycloak server for
>> policy evaluation. Protected service is built on Spring Boot.
>>
>> I’ve configured the system and all works fine with OOTB Claim Information
>> Point provider ‘claims’. But I need a custom one. And this custom CIP is
>> not working. I see from the debug logging, that policy enforcer calls
>> ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’,
>> thus, never instantiates the CIP.
>>
>> Below are application.properties for Spring boot and CIP config file. My
>> custom CIP Provider has ‘document’ name. I call both /documents/- Get an
>>
>> Thank you,
>> Alexey
>>
>> application.properties
>> ----------------------------------
>> svc.name=docs-uma
>> server.port = 8085
>> keycloak.realm=DemoApp
>> keycloak.auth-server-url=http://localhost:8180/auth
>> keycloak.ssl-required=external
>> keycloak.resource=docs-svc-uma
>> keycloak.cors=true
>> keycloak.use-resource-role-mappings=true
>> keycloak.verify-token-audience=false
>> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
>> keycloak.confidential-port=0
>> keycloak.bearer-only=true
>>
>> keycloak.securityConstraints[0].securityCollections[0].name = secured
>> operation
>> keycloak.securityConstraints[0].authRoles[0] = user
>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
>> /documents
>> keycloak.securityConstraints[0].securityCollections[0].patterns[1] =
>> /documents/
>>
>> keycloak.securityConstraints[1].securityCollections[0].name = admin
>> operation
>> keycloak.securityConstraints[1].authRoles[0] = admin
>> keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
>> keycloak.securityConstraints[1].securityCollections[0].patterns[1] =
>> /admin/
>>
>> logging.level.org.keycloak=DEBUG
>>
>> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
>>
>> # policy enforcer
>> keycloak.policy-enforcer-config.lazy-load-paths=true
>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
>>
>> keycloak.policy-enforcer-config.paths[0].name=Public Resources
>> keycloak.policy-enforcer-config.paths[0].path=/*
>>
>> keycloak.policy-enforcer-config.paths[1].name=Document creation
>> keycloak.policy-enforcer-config.paths[1].path=/documents/*
>> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
>>
>>
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
>>
>>
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
>>
>>
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
>>
>> keycloak.policy-enforcer-config.paths[2].name=Document List
>> keycloak.policy-enforcer-config.paths[2].path=/documents
>> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
>>
>>
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
>>
>>
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
>>
>>
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
>>
>> keycloak.policy-enforcer-config.paths[3].name=Admin Resources
>> keycloak.policy-enforcer-config.paths[3].path=/admin/*
>>
>>
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
>>
>>
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
>>
>>
>>
>>
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
>> ------------------------------------------------------------------------
>>
>>
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
12:32 p.m.
I've created https://issues.jboss.org/browse/KEYCLOAK-9478. Dmitry is right
and I sent a PR with a fix. Tests were also included for custom CIPs.
Regards.
Pedro Igor
On Fri, Feb 1, 2019 at 12:03 PM Alexey Titorenko <titorenko(a)dtg.technology>
wrote:
Thank you, guys!
> On 1 Feb 2019, at 14:35, Dmitry Telegin <dt(a)acutus.pro> wrote:
>
> Oh, no need for Alexey to go to keycloak-dev, since Pedro is already
here :)
>
> Please see my answer above, I've been able to reproduce the issue and
trace it down to the AbstractPolicyEnforcer::getClaims().
>
> Dmitry
>
> On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote:
>> Hi,
>>
>> Could you share the code for your custom CIP, please ? Are you sure the
>> factory's name is the same as what you defined in your adapter
>> configuration ?
>>
>> Regards.
>> Pedro Igor
>>
>> On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko
<titorenko(a)dtg.technology>
>> wrote:
>>
>>> Hello guys!
>>>
>>> Can someone help me please with the following problem.
>>>
>>> I need to configure context based access control for my REST-service,
when
>>> attributes of the protected resources are pushed to Keycloak server for
>>> policy evaluation. Protected service is built on Spring Boot.
>>>
>>> I’ve configured the system and all works fine with OOTB Claim
Information
>>> Point provider ‘claims’. But I need a custom one. And this custom CIP
is
>>> not working. I see from the debug logging, that policy enforcer calls
>>> ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls
‘create()’,
>>> thus, never instantiates the CIP.
>>>
>>> Below are application.properties for Spring boot and CIP config file.
My
>>> custom CIP Provider has ‘document’ name. I call both /documents/- Get
an
>>>
>>> Thank you,
>>> Alexey
>>>
>>> application.properties
>>> ----------------------------------
>>> svc.name=docs-uma
>>> server.port = 8085
>>> keycloak.realm=DemoApp
>>> keycloak.auth-server-url=http://localhost:8180/auth
>>> keycloak.ssl-required=external
>>> keycloak.resource=docs-svc-uma
>>> keycloak.cors=true
>>> keycloak.use-resource-role-mappings=true
>>> keycloak.verify-token-audience=false
>>> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
>>> keycloak.confidential-port=0
>>> keycloak.bearer-only=true
>>>
>>> keycloak.securityConstraints[0].securityCollections[0].name = secured
>>> operation
>>> keycloak.securityConstraints[0].authRoles[0] = user
>>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
>>> /documents
>>> keycloak.securityConstraints[0].securityCollections[0].patterns[1] =
>>> /documents/
>>>
>>> keycloak.securityConstraints[1].securityCollections[0].name = admin
>>> operation
>>> keycloak.securityConstraints[1].authRoles[0] = admin
>>> keycloak.securityConstraints[1].securityCollections[0].patterns[0] =
/admin
>>> keycloak.securityConstraints[1].securityCollections[0].patterns[1] =
>>> /admin/
>>>
>>> logging.level.org.keycloak=DEBUG
>>>
>>>
logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
>>>
>>> # policy enforcer
>>> keycloak.policy-enforcer-config.lazy-load-paths=true
>>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
>>>
>>> keycloak.policy-enforcer-config.paths[0].name=Public Resources
>>> keycloak.policy-enforcer-config.paths[0].path=/*
>>>
>>> keycloak.policy-enforcer-config.paths[1].name=Document creation
>>> keycloak.policy-enforcer-config.paths[1].path=/documents/*
>>> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
>>>
>>>
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
>>>
>>>
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
>>>
>>>
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
>>>
>>> keycloak.policy-enforcer-config.paths[2].name=Document List
>>> keycloak.policy-enforcer-config.paths[2].path=/documents
>>> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
>>>
>>>
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
>>>
>>>
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
>>>
>>>
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
>>>
>>> keycloak.policy-enforcer-config.paths[3].name=Admin Resources
>>> keycloak.policy-enforcer-config.paths[3].path=/admin/*
>>>
>>>
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
>>>
>>>
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
>>>
>>>
>>>
>>>
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
>>>
------------------------------------------------------------------------
>>>
>>>
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
12:37 p.m.
Cheers, kudos and thumbs up :) Dmitry
On Fri, 2019-02-01 at 16:32 -0200, Pedro Igor Silva wrote:
I've created https://issues.jboss.org/browse/KEYCLOAK-9478.
Dmitry is
right and I sent a PR with a fix. Tests were also included for custom
CIPs.
Regards.
Pedro Igor
On Fri, Feb 1, 2019 at 12:03 PM Alexey Titorenko <titorenko(a)dtg.techn
ology> wrote:
> Thank you, guys!
>
>
> > On 1 Feb 2019, at 14:35, Dmitry Telegin <dt(a)acutus.pro> wrote:
> >
> > Oh, no need for Alexey to go to keycloak-dev, since Pedro is
> already here :)
> >
> > Please see my answer above, I've been able to reproduce the issue
> and trace it down to the AbstractPolicyEnforcer::getClaims().
> >
> > Dmitry
> >
> > On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote:
> >> Hi,
> >>
> >> Could you share the code for your custom CIP, please ? Are you
> sure the
> >> factory's name is the same as what you defined in your adapter
> >> configuration ?
> >>
> >> Regards.
> >> Pedro Igor
> >>
> >> On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko <titorenko@dtg.
> technology>
> >> wrote:
> >>
> >>> Hello guys!
> >>>
> >>> Can someone help me please with the following problem.
> >>>
> >>> I need to configure context based access control for my REST-
> service, when
> >>> attributes of the protected resources are pushed to Keycloak
> server for
> >>> policy evaluation. Protected service is built on Spring Boot.
> >>>
> >>> I’ve configured the system and all works fine with OOTB Claim
> Information
> >>> Point provider ‘claims’. But I need a custom one. And this
> custom CIP is
> >>> not working. I see from the debug logging, that policy enforcer
> calls
> >>> ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls
> ‘create()’,
> >>> thus, never instantiates the CIP.
> >>>
> >>> Below are application.properties for Spring boot and CIP config
> file. My
> >>> custom CIP Provider has ‘document’ name. I call both
> /documents/- Get an
> >>>
> >>> Thank you,
> >>> Alexey
> >>>
> >>> application.properties
> >>> ----------------------------------
> >>> svc.name=docs-uma
> >>> server.port = 8085
> >>> keycloak.realm=DemoApp
> >>> keycloak.auth-server-url=http://localhost:8180/auth
> >>> keycloak.ssl-required=external
> >>> keycloak.resource=docs-svc-uma
> >>> keycloak.cors=true
> >>> keycloak.use-resource-role-mappings=true
> >>> keycloak.verify-token-audience=false
> >>> keycloak.credentials.secret=0e55734e-aadc-4268-8757-
> b5dca453980a
> >>> keycloak.confidential-port=0
> >>> keycloak.bearer-only=true
> >>>
> >>> keycloak.securityConstraints[0].securityCollections[0].name =
> secured
> >>> operation
> >>> keycloak.securityConstraints[0].authRoles[0] = user
> >>>
> keycloak.securityConstraints[0].securityCollections[0].patterns[0]
> =
> >>> /documents
> >>>
> keycloak.securityConstraints[0].securityCollections[0].patterns[1]
> =
> >>> /documents/
> >>>
> >>> keycloak.securityConstraints[1].securityCollections[0].name =
> admin
> >>> operation
> >>> keycloak.securityConstraints[1].authRoles[0] = admin
> >>>
> keycloak.securityConstraints[1].securityCollections[0].patterns[0]
> = /admin
> >>>
> keycloak.securityConstraints[1].securityCollections[0].patterns[1]
> =
> >>> /admin/
> >>>
> >>> logging.level.org.keycloak=DEBUG
> >>>
> >>>
> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloa
> k.cip=DEBUG
> >>>
> >>> # policy enforcer
> >>> keycloak.policy-enforcer-config.lazy-load-paths=true
> >>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
> >>>
> >>> keycloak.policy-enforcer-config.paths[0].name=Public Resources
> >>> keycloak.policy-enforcer-config.paths[0].path=/*
> >>>
> >>> keycloak.policy-enforcer-config.paths[1].name=Document creation
> >>> keycloak.policy-enforcer-config.paths[1].path=/documents/*
> >>> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
> >>>
> >>> keycloak.policy-enforcer-
> config.paths[1].methods[0].scopes[0]=urn:docs-svc-
> uma:resources:documents:create
> >>>
> >>> keycloak.policy-enforcer-
> config.paths[1].claimInformationPointConfig.claims[test]={request.m
> ethod}
> >>>
> >>> keycloak.policy-enforcer-
> config.paths[1].claimInformationPointConfig.document[uri]={request.
> method}
> >>>
> >>> keycloak.policy-enforcer-config.paths[2].name=Document List
> >>> keycloak.policy-enforcer-config.paths[2].path=/documents
> >>> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
> >>>
> >>> keycloak.policy-enforcer-
> config.paths[2].methods[0].scopes[0]=urn:docs-svc-
> uma:resources:documents:list
> >>>
> >>> keycloak.policy-enforcer-
> config.paths[2].claimInformationPointConfig.claims[test]={request.m
> ethod}
> >>>
> >>> keycloak.policy-enforcer-
> config.paths[2].claimInformationPointConfig.document[uri]={request.
> method}
> >>>
> >>> keycloak.policy-enforcer-config.paths[3].name=Admin Resources
> >>> keycloak.policy-enforcer-config.paths[3].path=/admin/*
> >>>
> >>> keycloak.policy-enforcer-
> config.paths[3].claimInformationPointConfig.claims[some-
> claim]={request.uri}
> >>>
> >>> keycloak.policy-enforcer-
> config.paths[3].claimInformationPointConfig.claims[claims-from-
> document]={request.uri}
> >>>
> >>>
> >>>
> >>> META-
> INF/services/org.keycloak.adapters.authorization.ClaimInformationPo
> intProviderFactory
> >>> -------------------------------------------------------------
> -----------
> >>>
> >>>
> dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.Document
> CIPProviderFactory
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
5:30 a.m.
Hello Alexey,
Seems like currently only the first configured CIP is evaluated [1]. With only one CIP,
I've been able to get my custom provider working.
I think this is a defect, and suggest that you join us in keycloak-dev under the
"Authz services feedback" thread, where we discuss CIPs and Spring Boot among
other things (however the issue is not SB-specific).
[1]
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co...
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2019-01-31 at 18:47 +0300, Alexey Titorenko wrote:
Hello guys!
Can someone help me please with the following problem.
I need to configure context based access control for my REST-service, when attributes of
the protected resources are pushed to Keycloak server for policy evaluation. Protected
service is built on Spring Boot.
I’ve configured the system and all works fine with OOTB Claim Information Point provider
‘claims’. But I need a custom one. And this custom CIP is not working. I see from the
debug logging, that policy enforcer calls ‘getName()’ and ‘init()’ on my CIP Factory, but
_never_ calls ‘create()’, thus, never instantiates the CIP.
Below are application.properties for Spring boot and CIP config file. My custom CIP
Provider has ‘document’ name. I call both /documents/- Get an
Thank you,
Alexey
application.properties
----------------------------------
svc.name=docs-uma
server.port = 8085
keycloak.realm=DemoApp
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.ssl-required=external
keycloak.resource=docs-svc-uma
keycloak.cors=true
keycloak.use-resource-role-mappings=true
keycloak.verify-token-audience=false
keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
keycloak.confidential-port=0
keycloak.bearer-only=true
keycloak.securityConstraints[0].securityCollections[0].name = secured operation
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents
keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/
keycloak.securityConstraints[1].securityCollections[0].name = admin operation
keycloak.securityConstraints[1].authRoles[0] = admin
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/
logging.level.org.keycloak=DEBUG
logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
# policy enforcer
keycloak.policy-enforcer-config.lazy-load-paths=true
keycloak.policy-enforcer-config.on-deny-redirect-to=/public
keycloak.policy-enforcer-config.paths[0].name=Public Resources
keycloak.policy-enforcer-config.paths[0].path=/*
keycloak.policy-enforcer-config.paths[1].name=Document creation
keycloak.policy-enforcer-config.paths[1].path=/documents/*
keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[2].name=Document List
keycloak.policy-enforcer-config.paths[2].path=/documents
keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[3].name=Admin Resources
keycloak.policy-enforcer-config.paths[3].path=/admin/*
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
------------------------------------------------------------------------
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2168
days inactive
2169
days old
6 comments
3 participants
participants (3)
-
Alexey Titorenko -
Dmitry Telegin -
Pedro Igor Silva