10:15 a.m.
Hello,
I'm trying to figure out how to work with the Authorization Services and
a RPC style API.
For reference, I'm using spring boot, graphql-java and
graphql-java-tools and keycloak spring security adapter.
I wish to know how can I call the enforcer pragmatically in my graphql
resolvers.
Since I am not using http paths I need to build the authorization
request depending on which resolver is called.
Some of the API requests are public - they don't require user
authentication.
Some are private and require user authentication and authorization.
*Background*
We have a GraphQL based API that we would like to expose. It's also
multi-tenant and a User (in Keycloak) can be a member of multiple tenants.
What I am trying to achieve is to secure access to resource like
/{org_id}/project/{id} (complex version) or /account/{org_id} - (simple
version)
I would like to call the enforcer at the begining of each resolver and
build the authorization request there - also providing the tenant id for
authorization.
*Example*
I managed to make the integration work and I can get the AccessToken :
How can I make the authorization call and provide the tenant ID to the
policy as a claim?
I know about [cip-spi], just not clear how to make things happen.
I imagine I have to build a resource like /{org_id}/project/{id} and
provide the tenant_id and id values.
public class QueryResolver implements GraphQLQueryResolver {
public CompletableFuture<Project> getProject(Long id, Long tenanID,
DataFetchingEnvironment dfe) {
HttpServletRequest req =
((GraphQLContext) dfe.getExecutionContext().getContext())
.getHttpServletRequest()
.orElseThrow(() -> new IllegalStateException("Request object
is missing"));
KeycloakAuthenticationToken authToken =
(KeycloakAuthenticationToken) req.getUserPrincipal();
if (authToken != null) {
// we have authenticated user
KeycloakPrincipal principal = (KeycloakPrincipal)
authToken.getPrincipal();
AccessToken accessToken =
principal.getKeycloakSecurityContext().getToken();
log.info("Authenticated with {}", accessToken.getEmail());
} else {
log.info("User not authenticated ");
}
}
Thanks,
Eugen
[1]
https://www.keycloak.org/docs/4.8/authorization_services/#claim-informati...
10:26 a.m.
This looks interesting. Have you checked this part of the docs [1] ?
In a nutshell, in order to push arbitrary claims to your policies, you use
a specific request parameter when sending an authorization request to the
token endpoint. The value of this parameter is a JSON in Base64 format.
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
On Wed, Feb 27, 2019 at 1:17 PM Eugen Stan <ieugen(a)netdava.com> wrote:
Hello,
I'm trying to figure out how to work with the Authorization Services and
a RPC style API.
For reference, I'm using spring boot, graphql-java and
graphql-java-tools and keycloak spring security adapter.
I wish to know how can I call the enforcer pragmatically in my graphql
resolvers.
Since I am not using http paths I need to build the authorization
request depending on which resolver is called.
Some of the API requests are public - they don't require user
authentication.
Some are private and require user authentication and authorization.
*Background*
We have a GraphQL based API that we would like to expose. It's also
multi-tenant and a User (in Keycloak) can be a member of multiple tenants.
What I am trying to achieve is to secure access to resource like
/{org_id}/project/{id} (complex version) or /account/{org_id} - (simple
version)
I would like to call the enforcer at the begining of each resolver and
build the authorization request there - also providing the tenant id for
authorization.
*Example*
I managed to make the integration work and I can get the AccessToken :
How can I make the authorization call and provide the tenant ID to the
policy as a claim?
I know about [cip-spi], just not clear how to make things happen.
I imagine I have to build a resource like /{org_id}/project/{id} and
provide the tenant_id and id values.
public class QueryResolver implements GraphQLQueryResolver {
public CompletableFuture<Project> getProject(Long id, Long tenanID,
DataFetchingEnvironment dfe) {
HttpServletRequest req =
((GraphQLContext) dfe.getExecutionContext().getContext())
.getHttpServletRequest()
.orElseThrow(() -> new IllegalStateException("Request object
is missing"));
KeycloakAuthenticationToken authToken =
(KeycloakAuthenticationToken) req.getUserPrincipal();
if (authToken != null) {
// we have authenticated user
KeycloakPrincipal principal = (KeycloakPrincipal)
authToken.getPrincipal();
AccessToken accessToken =
principal.getKeycloakSecurityContext().getToken();
log.info("Authenticated with {}", accessToken.getEmail());
} else {
log.info("User not authenticated ");
}
}
Thanks,
Eugen
[1]
https://www.keycloak.org/docs/4.8/authorization_services/#claim-informati...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2142
days inactive
2142
days old
1 comments
2 participants
participants (2)
-
Eugen Stan -
Pedro Igor Silva