[keycloak-user] Spring sec - roles - how?

Sat Dec 17 11:35:45 EST 2016

Hey Sebastien,
So I've create a mapper in the broker to say if claim has a value then set
a role on the bearer client say DOOM (I've tested to check for a bogus
value that does not come into the specified claim and the DOOM does not
show in the token -perfect).
I defined this DOOM role in bearer client and so I can see when I invoke
the endpopint on the bearer that this role apears in the token.
But I do not see the connect from this role in the token with what spring
sec is doing on :
http.authorizeRequests().antMatchers("/products*").hasRole("DOOM")
I get 403 when calling the method.
Do you have a gist somewhere that does this minimal stuff I am soing on my
side?
Appreciate it - thanks.

> Sebastien, sorry - yes done the role mapper in the brokering totally
> forgot about this - so I guess this is how ldap role propagates to the
> users' role.
> OK - got the big picture -rest impl details.
> You got me out of the swamp 2nd time - thanks
>
>
>> I'm sorry I'm not sure what you are really asking then.
>> I assume you defined a role mapper when you configured the LDAP
>> brokering
>> in KC ? So your LDAP role will be mapped to a KC role and your user will
>> have that role.
>>
>> The SpringSec app needs to know these roles to be able to check.
>>
>>
>> On Wed, Dec 14, 2016 at 4:24 PM, java_os <java at neposoft.com> wrote:
>>
>>> I get this Sebastien - thanks, but ....
>>> My point is: where do you define MY_MAPPED_LDAP_ROLE in KC?
>>> How is a user be able to 'aquire' automatically this
>>> MY_MAPPED_LDAP_ROLE
>>> and who's setting the claim value into MY_MAPPED_LDAP_ROLE?
>>> am a bit confused
>>> thx
>>>
>>>
>>> > You said that your SPA client can read out the roles from the token,
>>> well
>>> > for the Spring-sec app is exactly the same. When your SPA sends a
>>> request
>>> > to it, it also passes the token, the Spring-sec adapter will extract
>>> the
>>> > roles from there (happens here
>>> > https://github.com/keycloak/keycloak/blob/master/adapters/
>>> oidc/spring-security/src/main/java/org/keycloak/adapters/
>>> springsecurity/authentication/SpringSecurityRequestAuthentic
>>> ator.java#L91-L93
>>> > ).
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Wed, Dec 14, 2016 at 2:08 PM, java_os <java at neposoft.com> wrote:
>>> >
>>> >> Hi Sebastien
>>> >> Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim?
>>> Client
>>> >> level in kc, any pointers on how this is done? Getting in the value
>>> from
>>> >> claim and set it into the MY_MAPPED_LDAP_ROLE??
>>> >>
>>> >> I am guessing all logged in users (withing the client) will take the
>>> >> role
>>> >> above which value will be the claim coming into from idp.
>>> >> Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this check
>>> the
>>> >> actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE
>>> gets
>>> >> defined in KC? Am a bit confused how spring-sec gets the value of
>>> the
>>> >> MY_MAPPED_LDAP_ROLE.
>>> >>
>>> >> Am going to dig more on my side, but would be nice if you can shed
>>> more
>>> >> light from role setup in KC.
>>> >> Thanks
>>> >>
>>> >>
>>> >> > Is this not working  ?
>>> >> > http.authorizeRequests().antMatchers("/products*").
>>> >> hasRole("MY_MAPPED_LDAP_ROLE")
>>> >> > ?
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> > On Tue, Dec 13, 2016 at 11:51 PM, java_os <java at neposoft.com>
>>> wrote:
>>> >> >
>>> >> >> Hi All,
>>> >> >> I put up this question a while back and now back to it since no
>>> >> answer,
>>> >> >> this time with some hope.
>>> >> >> I have this SPA (keycloak.js) calling into Rest api bearer
>>> protected
>>> >> by
>>> >> >> KC
>>> >> >> - all good.
>>> >> >> I use KC brokering, so on the Idp side ADFS . User logs in
>>> against
>>> >> idp,
>>> >> >> where in ADFS is configured with a claim that acts as a role. On
>>> SPA
>>> >> I
>>> >> >> can
>>> >> >> map out that claim from the token.
>>> >> >> The rest api is protected by kc spring sec. I want (and this is
>>> what
>>> >> I
>>> >> >> do
>>> >> >> not know) to configure spring sec to react when the call is made
>>> to a
>>> >> >> specific rest endpoint when the user does not have a specific
>>> role
>>> >> >> (returning 401).
>>> >> >> How can I do this spring sec way - how can I configure spring sec
>>> to
>>> >> say
>>> >> >> check at runtime the users's role for a specific endpoint and
>>> deny
>>> >> >> access
>>> >> >> to the resource.
>>> >> >> The big un-known to me is: how does KC client role (which is some
>>> >> static
>>> >> >> config) relates to the runtime user's role coming from Idp.
>>> >> >> Anyone has done this - am sure this is a common use case.
>>> >> >> Whoever knows this please share.
>>> >> >> Thank you and appreciate it.
>>> >> >>
>>> >> >>
>>> >> >> _______________________________________________
>>> >> >> keycloak-user mailing list
>>> >> >> keycloak-user at lists.jboss.org
>>> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >> >>
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >
>>>
>>>
>>>
>>
>
>
>