[keycloak-dev] Authz services feedback

Pedro Igor Silva psilva at redhat.com
Wed Jan 30 06:29:31 EST 2019 

Thanks for the feedback, Marek. Kudos to you too for talking about this
stuff.

Answers inline.

On Wed, Jan 30, 2019 at 8:39 AM Marek Posolda <mposolda at redhat.com> wrote:

> I recently have a chance to play a bit more with authz services when
> preparing for the devconf demo. Great stuff and cudos to Pedro and all
> the others who contributed to authorization services!
>
> I just have few questions and possible suggestions to improve in the
> future :) Also based on some questions and discussion I had after the talk:
>
> - My REST service was SpringBoot based and protected by policy enforced
> configured in the applications.properties like this
>
> https://github.com/mposolda/devconf2019-authz/blob/master/devconf2019-service/src/main/resources/application.properties#L23-L32
> . However I was stuck when I wanted to enable UserManagedAccess for my
> service. The PolicyEnforcerConfig.UserManagedAccessConfig is an empty
> class and I couldn't figure how to properly add it in the
> application.properties file. I've tried to add various things in
> application.properties like this, but none of them helped:
>
> keycloak.policy-enforcer-config.user-managed-access
> keycloak.policy-enforcer-config.user-managed-access=
> keycloak.policy-enforcer-config.user-managed-access= (Just left single
> space here after equals character)


> As a workaround, I ended with having separate bean to do it
> programatically -
>
> https://github.com/mposolda/devconf2019-authz/blob/master/devconf2019-service/src/main/java/org/keycloak/quickstarts/devconf2019/config/KeycloakUMAConfigResolver.java
> . Is it a bug or is it just me doing something stupid?
>

He had some feedback in the past about that too, but the workaround you did
is what people are doing. I've created
https://issues.jboss.org/browse/KEYCLOAK-9458.

Similar issue we have when you just want to enable the policy-enforcer
without any configuration. You need to specify at least one property of
policy-enforcer (or create a bean).


>
>
> - I wonder about possible improvements of keycloak-authz.js and if
> usability can be a bit improved? More specifically I mean this:
> -- Handling of the 401 response with UMA ticket from resource-server -
> Can this be done "automatically"? I meant the flow described here:
>
> https://www.keycloak.org/docs/latest/authorization_services/index.html#handling-authorization-responses-from-a-uma-protected-resource-server
> . Maybe the keycloak-authz itself can just handle the response from
> resource server, then send the AuthorizationRequest to KC with the UMA
> ticket and then possibly re-send the request to resource-server with new
> RPT and do this "automatically" without a need to manually handle it by
> the application like this:
>
> https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-uma-photoz/photoz-html5-client/src/main/webapp/js/app.js#L154-L208
> . WDYT?
>

We had that before, but due to some changes in UMA specs, I decided to
remove this capability from the adapter. We can discuss to get it back
again.


>
> -- Another thing is refreshing of RPT. It looks that RPT response
> contains the refresh token, so refreshing of RPTs is possible. However
> the keycloak-authz.js client doesn't have any support for automatically
> refreshing RPT token. I mean something similar, which is provided by
> keycloak.js itself (method "keycloak.updateToken" which automatically
> refreshes the token if needed). Due this limitation, it seems there is a
> bug in our quickstart. When you try the quickstart
> "app-authz-uma-photoz" and you go through the flow like this:
> - Open http://localhost:8080/photoz-html5-client and login as jdoe
> - Create some album
> - Wait 10 minutes (RPT expiration is same like AccessTokenLifespan, so 5
> minutes by default)
> - Try to create some album again - now fails with 403 due the RPT
> expired and no support for refreshing it in the keycloak-authz.js or the
> application itself.
> Should I create JIRA for this?
>

Yes, please.


>
>
> - It seems we don't have any Java based adapter for the frontend clients
> written in Java? We have Java based authorization client, but that
> provides just sending REST requests. It doesn't provide things like I
> mentioned above though (Storing RPT, automatically refreshing RPT,
> Automatically handling 401 response with the UMA ticket from
> resource-server and sending the request to KC etc). Any plan to have this?
>

Could we leverage the authz client for that ? If you could create a JIRA
with more details about the scenarios we are trying to support, we can
start thinking about a solution.

Thanks !


>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list