[keycloak-dev] Authz services feedback

Pedro Igor Silva psilva at redhat.com
Wed Jan 30 06:29:31 EST 2019

Thanks for the feedback, Marek. Kudos to you too for talking about this

Answers inline.

On Wed, Jan 30, 2019 at 8:39 AM Marek Posolda <mposolda at redhat.com> wrote:

> I recently have a chance to play a bit more with authz services when
> preparing for the devconf demo. Great stuff and cudos to Pedro and all
> the others who contributed to authorization services!
> I just have few questions and possible suggestions to improve in the
> future :) Also based on some questions and discussion I had after the talk:
> - My REST service was SpringBoot based and protected by policy enforced
> configured in the applications.properties like this
> https://github.com/mposolda/devconf2019-authz/blob/master/devconf2019-service/src/main/resources/application.properties#L23-L32
> . However I was stuck when I wanted to enable UserManagedAccess for my
> service. The PolicyEnforcerConfig.UserManagedAccessConfig is an empty
> class and I couldn't figure how to properly add it in the
> application.properties file. I've tried to add various things in
> application.properties like this, but none of them helped:
> keycloak.policy-enforcer-config.user-managed-access
> keycloak.policy-enforcer-config.user-managed-access=
> keycloak.policy-enforcer-config.user-managed-access= (Just left single
> space here after equals character)

> As a workaround, I ended with having separate bean to do it
> programatically -
> https://github.com/mposolda/devconf2019-authz/blob/master/devconf2019-service/src/main/java/org/keycloak/quickstarts/devconf2019/config/KeycloakUMAConfigResolver.java
> . Is it a bug or is it just me doing something stupid?

He had some feedback in the past about that too, but the workaround you did
is what people are doing. I've created

Similar issue we have when you just want to enable the policy-enforcer
without any configuration. You need to specify at least one property of
policy-enforcer (or create a bean).

> - I wonder about possible improvements of keycloak-authz.js and if
> usability can be a bit improved? More specifically I mean this:
> -- Handling of the 401 response with UMA ticket from resource-server -
> Can this be done "automatically"? I meant the flow described here:
> https://www.keycloak.org/docs/latest/authorization_services/index.html#handling-authorization-responses-from-a-uma-protected-resource-server
> . Maybe the keycloak-authz itself can just handle the response from
> resource server, then send the AuthorizationRequest to KC with the UMA
> ticket and then possibly re-send the request to resource-server with new
> RPT and do this "automatically" without a need to manually handle it by
> the application like this:
> https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-uma-photoz/photoz-html5-client/src/main/webapp/js/app.js#L154-L208
> . WDYT?

We had that before, but due to some changes in UMA specs, I decided to
remove this capability from the adapter. We can discuss to get it back

> -- Another thing is refreshing of RPT. It looks that RPT response
> contains the refresh token, so refreshing of RPTs is possible. However
> the keycloak-authz.js client doesn't have any support for automatically
> refreshing RPT token. I mean something similar, which is provided by
> keycloak.js itself (method "keycloak.updateToken" which automatically
> refreshes the token if needed). Due this limitation, it seems there is a
> bug in our quickstart. When you try the quickstart
> "app-authz-uma-photoz" and you go through the flow like this:
> - Open http://localhost:8080/photoz-html5-client and login as jdoe
> - Create some album
> - Wait 10 minutes (RPT expiration is same like AccessTokenLifespan, so 5
> minutes by default)
> - Try to create some album again - now fails with 403 due the RPT
> expired and no support for refreshing it in the keycloak-authz.js or the
> application itself.
> Should I create JIRA for this?

Yes, please.

> - It seems we don't have any Java based adapter for the frontend clients
> written in Java? We have Java based authorization client, but that
> provides just sending REST requests. It doesn't provide things like I
> mentioned above though (Storing RPT, automatically refreshing RPT,
> Automatically handling 401 response with the UMA ticket from
> resource-server and sending the request to KC etc). Any plan to have this?

Could we leverage the authz client for that ? If you could create a JIRA
with more details about the scenarios we are trying to support, we can
start thinking about a solution.

Thanks !

> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list