7:59 a.m.
I'm trying to figure out how to use keycloak-gatekeeper with the
fine-grained authorization option in Keycloak.
I set up the authorization and ran an evaluation within the Keycloak UI
that correctly gave DENY for user 'test', but when I use that same user to
log in through gatekeeper, it says it's permitted and directs me to
upstream.
Is there anything I need to enable on gatekeeper side to have it enforce,
or any pointers here?
Thanks,
Tyler
8:15 a.m.
It seems to me that you're trying to use authorization services with
Gatekeeper (I can be wrong). If that's the case, unfortunatelly that's
not supported yet. But certainly something that we might consider in the
future.
If I guessed it all wrong, please share how you're configuring
Gatekeeper.
On 2019-05-21, Tyler Johnson wrote:
I'm trying to figure out how to use keycloak-gatekeeper with the
fine-grained authorization option in Keycloak.
I set up the authorization and ran an evaluation within the Keycloak UI
that correctly gave DENY for user 'test', but when I use that same user to
log in through gatekeeper, it says it's permitted and directs me to
upstream.
Is there anything I need to enable on gatekeeper side to have it enforce,
or any pointers here?
Thanks,
Tyler
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
9:08 a.m.
Yeah, that's exactly what I was trying to do.
My goal is to stand up something that sits in front of services and
enforces the authorization I defined in Keycloak so I don't have to include
any authorization logic or use any keycloak adapters in the services
themselves. It sounds like gatekeeper doesn't have that functionality
though. Are there any other options around that?
On Tue, May 21, 2019 at 8:15 AM Bruno Oliveira <bruno(a)abstractj.org> wrote:
It seems to me that you're trying to use authorization services
with
Gatekeeper (I can be wrong). If that's the case, unfortunatelly that's
not supported yet. But certainly something that we might consider in the
future.
If I guessed it all wrong, please share how you're configuring
Gatekeeper.
On 2019-05-21, Tyler Johnson wrote:
> I'm trying to figure out how to use keycloak-gatekeeper with the
> fine-grained authorization option in Keycloak.
>
> I set up the authorization and ran an evaluation within the Keycloak UI
> that correctly gave DENY for user 'test', but when I use that same user
to
> log in through gatekeeper, it says it's permitted and directs me to
> upstream.
>
> Is there anything I need to enable on gatekeeper side to have it enforce,
> or any pointers here?
>
> Thanks,
> Tyler
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
8:11 a.m.
I created the following Jira
https://issues.jboss.org/browse/KEYCLOAK-10367, so we don't miss it.
Authorization services is something that we would like to include in
Gatekeeper.
Regards if there are any other options. Being very honest, I don't know.
On 2019-05-21, Tyler Johnson wrote:
Yeah, that's exactly what I was trying to do.
My goal is to stand up something that sits in front of services and
enforces the authorization I defined in Keycloak so I don't have to include
any authorization logic or use any keycloak adapters in the services
themselves. It sounds like gatekeeper doesn't have that functionality
though. Are there any other options around that?
On Tue, May 21, 2019 at 8:15 AM Bruno Oliveira <bruno(a)abstractj.org> wrote:
> It seems to me that you're trying to use authorization services with
> Gatekeeper (I can be wrong). If that's the case, unfortunatelly that's
> not supported yet. But certainly something that we might consider in the
> future.
>
> If I guessed it all wrong, please share how you're configuring
> Gatekeeper.
>
> On 2019-05-21, Tyler Johnson wrote:
> > I'm trying to figure out how to use keycloak-gatekeeper with the
> > fine-grained authorization option in Keycloak.
> >
> > I set up the authorization and ran an evaluation within the Keycloak UI
> > that correctly gave DENY for user 'test', but when I use that same
user
> to
> > log in through gatekeeper, it says it's permitted and directs me to
> > upstream.
> >
> > Is there anything I need to enable on gatekeeper side to have it enforce,
> > or any pointers here?
> >
> > Thanks,
> > Tyler
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>
--
abstractj
2:30 p.m.
On 21. May 2019, at 15:15, Bruno Oliveira <bruno(a)abstractj.org>
wrote:
It seems to me that you're trying to use authorization services with
Gatekeeper (I can be wrong). If that's the case, unfortunatelly that's
not supported yet. But certainly something that we might consider in the
future.
That would be great. We’re somehow managed to do that with roles and scopes.
If I guessed it all wrong, please share how you're configuring
Gatekeeper.
On 2019-05-21, Tyler Johnson wrote:
> I'm trying to figure out how to use keycloak-gatekeeper with the
> fine-grained authorization option in Keycloak.
>
> I set up the authorization and ran an evaluation within the Keycloak UI
> that correctly gave DENY for user 'test', but when I use that same user to
> log in through gatekeeper, it says it's permitted and directs me to
> upstream.
>
> Is there anything I need to enable on gatekeeper side to have it enforce,
> or any pointers here?
>
> Thanks,
> Tyler
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2518
days inactive
2520
days old
4 comments
3 participants
participants (3)
-
Bruno Oliveira -
Christian Hügel -
Tyler Johnson