[Apiman-user] Authorization question

[Marc Savy]

Hi,

If I understand your description correctly, this should work. And in
my quick tests, it seems to work.  I might not be replicating
your setup perfectly though.

For example let's imagine we have a setup such that:

Client Policies [] // None
Plan Policies [Foo, Bar]
API Policies [Baz]

This ultimately flattens to a policy chain of:

Caller <-> [ Foo <-> Bar <-> Baz ] <-> API

So if your setup is (N of):

Plan [ Keycloak Auth ]
API [ Authz ]

This should always result in: Keycloak *then* Authz, passing roles as
defined in config.

If that isn't happening then there's a bug. I may may need to collect
some more information from you to see whether I can replicate the
issue.

Regards,
Marc

On 5 August 2017 at 01:21, Stephen Henrie <stephen at saasindustries.com> wrote:
>
> My goal is minimize the amount of Apiman configuration that I need to do by
> sharing a single, common authentication Plan using the Keycloak plugin
> across all APIs while using an API specific authorization policy for each
> individual API.
>
> As such,  I am trying to configure a single, global plan within Apiman that
> can be used for ensuring authentication policy using the Keycloak plugin
> which forwards all of my realm roles. This single plan would be assigned to
> all of my APIs in the Org, which would allow me to only have to configure
> the Keycloak realm information in one place. Then for each individual API, I
> was hoping to add a single Authorization policy plugin configured with
> endpoints and paths specific for each API.
>
> Something like
>
> Api1 ---> Keycloak Plan Abc
>   +---->Authorization Policy (123)
>
> Api2 ---> Keycloak Plan Abc
>   +---->Authorization Policy (456)
>
>
> When I do this and call one of the API endpoints, I am getting the following
> error:
>
> curl -k  -H "Authorization: Bearer $T"
> https://localhost:9443/apiman-gateway/chassi/chassi-tenant-bff/1.0/mytenants
>
> {"type":"Other","failureCode":10010,"responseCode":0,"message":"No roles
> have been extracted during authentication.  Make sure the authorization
> policy comes *after* a compatible authentication policy in your
> configuration.","headers":[]}
>
> It would seem that the Keycloak plugin that is configured in the Plan
> assigned to the API is not forwarding the realm roles to the Authentication
> policy which is also assigned to the same API.
>
> Is this by design? Do the authentication and authorization policies have to
> be within the same entity (ie. Plan, Api, etc) and not passed out of a plan
> to be used by downstream policies?  If so, is there another way to configure
> plans and policies that will allow me to accomplish my goal?
>
> Thanks in advance!
> Stephen
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>