[keycloak-dev] Authz services feedback

Wed Jan 30 05:37:11 EST 2019

I recently have a chance to play a bit more with authz services when 
preparing for the devconf demo. Great stuff and cudos to Pedro and all 
the others who contributed to authorization services!

I just have few questions and possible suggestions to improve in the 
future :) Also based on some questions and discussion I had after the talk:

- My REST service was SpringBoot based and protected by policy enforced 
configured in the applications.properties like this 
https://github.com/mposolda/devconf2019-authz/blob/master/devconf2019-service/src/main/resources/application.properties#L23-L32 
. However I was stuck when I wanted to enable UserManagedAccess for my 
service. The PolicyEnforcerConfig.UserManagedAccessConfig is an empty 
class and I couldn't figure how to properly add it in the 
application.properties file. I've tried to add various things in 
application.properties like this, but none of them helped:

keycloak.policy-enforcer-config.user-managed-access
keycloak.policy-enforcer-config.user-managed-access=
keycloak.policy-enforcer-config.user-managed-access= (Just left single 
space here after equals character)

As a workaround, I ended with having separate bean to do it 
programatically - 
https://github.com/mposolda/devconf2019-authz/blob/master/devconf2019-service/src/main/java/org/keycloak/quickstarts/devconf2019/config/KeycloakUMAConfigResolver.java 
. Is it a bug or is it just me doing something stupid?

- I wonder about possible improvements of keycloak-authz.js and if 
usability can be a bit improved? More specifically I mean this:
-- Handling of the 401 response with UMA ticket from resource-server - 
Can this be done "automatically"? I meant the flow described here: 
https://www.keycloak.org/docs/latest/authorization_services/index.html#handling-authorization-responses-from-a-uma-protected-resource-server 
. Maybe the keycloak-authz itself can just handle the response from 
resource server, then send the AuthorizationRequest to KC with the UMA 
ticket and then possibly re-send the request to resource-server with new 
RPT and do this "automatically" without a need to manually handle it by 
the application like this: 
https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-uma-photoz/photoz-html5-client/src/main/webapp/js/app.js#L154-L208 
. WDYT?

-- Another thing is refreshing of RPT. It looks that RPT response 
contains the refresh token, so refreshing of RPTs is possible. However 
the keycloak-authz.js client doesn't have any support for automatically 
refreshing RPT token. I mean something similar, which is provided by 
keycloak.js itself (method "keycloak.updateToken" which automatically 
refreshes the token if needed). Due this limitation, it seems there is a 
bug in our quickstart. When you try the quickstart 
"app-authz-uma-photoz" and you go through the flow like this:
- Open http://localhost:8080/photoz-html5-client and login as jdoe
- Create some album
- Wait 10 minutes (RPT expiration is same like AccessTokenLifespan, so 5 
minutes by default)
- Try to create some album again - now fails with 403 due the RPT 
expired and no support for refreshing it in the keycloak-authz.js or the 
application itself.
Should I create JIRA for this?

- It seems we don't have any Java based adapter for the frontend clients 
written in Java? We have Java based authorization client, but that 
provides just sending REST requests. It doesn't provide things like I 
mentioned above though (Storing RPT, automatically refreshing RPT, 
Automatically handling 401 response with the UMA ticket from 
resource-server and sending the request to KC etc). Any plan to have this?

Marek