[keycloak-user] Spring sec - roles - how?- SOLVED!

Sat Dec 17 13:07:19 EST 2016

Alright - for the record: spring-boot 1.4.2/spring-security 4.1.3/kc
2.3.0.Final
Changing hasRole to hasAnyAuthority supplying same role it just works.
hasRole somehow is not working (maybe someone here answers why hasRole
does not work). Have tested to break the role coming into when claim check
fails in the mapper and get 403 - expected - so kc works - it's a matter
to spend time to properly configure it along with using hasAnyAuthority.
Simple like this - hope this helps anyone hitting the wall as I did for
the last couple of weeks.

> Hey Sebastien,
> So I've create a mapper in the broker to say if claim has a value then set
> a role on the bearer client say DOOM (I've tested to check for a bogus
> value that does not come into the specified claim and the DOOM does not
> show in the token -perfect).
> I defined this DOOM role in bearer client and so I can see when I invoke
> the endpopint on the bearer that this role apears in the token.
> But I do not see the connect from this role in the token with what spring
> sec is doing on :
> http.authorizeRequests().antMatchers("/products*").hasRole("DOOM")
> I get 403 when calling the method.
> Do you have a gist somewhere that does this minimal stuff I am soing on my
> side?
> Appreciate it - thanks.
>
>> Sebastien, sorry - yes done the role mapper in the brokering totally
>> forgot about this - so I guess this is how ldap role propagates to the
>> users' role.
>> OK - got the big picture -rest impl details.
>> You got me out of the swamp 2nd time - thanks
>>
>>
>>> I'm sorry I'm not sure what you are really asking then.
>>> I assume you defined a role mapper when you configured the LDAP
>>> brokering
>>> in KC ? So your LDAP role will be mapped to a KC role and your user
>>> will
>>> have that role.
>>>
>>> The SpringSec app needs to know these roles to be able to check.
>>>
>>>
>>> On Wed, Dec 14, 2016 at 4:24 PM, java_os <java at neposoft.com> wrote:
>>>
>>>> I get this Sebastien - thanks, but ....
>>>> My point is: where do you define MY_MAPPED_LDAP_ROLE in KC?
>>>> How is a user be able to 'aquire' automatically this
>>>> MY_MAPPED_LDAP_ROLE
>>>> and who's setting the claim value into MY_MAPPED_LDAP_ROLE?
>>>> am a bit confused
>>>> thx
>>>>
>>>>
>>>> > You said that your SPA client can read out the roles from the token,
>>>> well
>>>> > for the Spring-sec app is exactly the same. When your SPA sends a
>>>> request
>>>> > to it, it also passes the token, the Spring-sec adapter will extract
>>>> the
>>>> > roles from there (happens here
>>>> > https://github.com/keycloak/keycloak/blob/master/adapters/
>>>> oidc/spring-security/src/main/java/org/keycloak/adapters/
>>>> springsecurity/authentication/SpringSecurityRequestAuthentic
>>>> ator.java#L91-L93
>>>> > ).
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Wed, Dec 14, 2016 at 2:08 PM, java_os <java at neposoft.com> wrote:
>>>> >
>>>> >> Hi Sebastien
>>>> >> Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim?
>>>> Client
>>>> >> level in kc, any pointers on how this is done? Getting in the value
>>>> from
>>>> >> claim and set it into the MY_MAPPED_LDAP_ROLE??
>>>> >>
>>>> >> I am guessing all logged in users (withing the client) will take
>>>> the
>>>> >> role
>>>> >> above which value will be the claim coming into from idp.
>>>> >> Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this
>>>> check
>>>> the
>>>> >> actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE
>>>> gets
>>>> >> defined in KC? Am a bit confused how spring-sec gets the value of
>>>> the
>>>> >> MY_MAPPED_LDAP_ROLE.
>>>> >>
>>>> >> Am going to dig more on my side, but would be nice if you can shed
>>>> more
>>>> >> light from role setup in KC.
>>>> >> Thanks
>>>> >>
>>>> >>
>>>> >> > Is this not working  ?
>>>> >> > http.authorizeRequests().antMatchers("/products*").
>>>> >> hasRole("MY_MAPPED_LDAP_ROLE")
>>>> >> > ?
>>>> >> >
>>>> >> >
>>>> >> >
>>>> >> >
>>>> >> > On Tue, Dec 13, 2016 at 11:51 PM, java_os <java at neposoft.com>
>>>> wrote:
>>>> >> >
>>>> >> >> Hi All,
>>>> >> >> I put up this question a while back and now back to it since no
>>>> >> answer,
>>>> >> >> this time with some hope.
>>>> >> >> I have this SPA (keycloak.js) calling into Rest api bearer
>>>> protected
>>>> >> by
>>>> >> >> KC
>>>> >> >> - all good.
>>>> >> >> I use KC brokering, so on the Idp side ADFS . User logs in
>>>> against
>>>> >> idp,
>>>> >> >> where in ADFS is configured with a claim that acts as a role. On
>>>> SPA
>>>> >> I
>>>> >> >> can
>>>> >> >> map out that claim from the token.
>>>> >> >> The rest api is protected by kc spring sec. I want (and this is
>>>> what
>>>> >> I
>>>> >> >> do
>>>> >> >> not know) to configure spring sec to react when the call is made
>>>> to a
>>>> >> >> specific rest endpoint when the user does not have a specific
>>>> role
>>>> >> >> (returning 401).
>>>> >> >> How can I do this spring sec way - how can I configure spring
>>>> sec
>>>> to
>>>> >> say
>>>> >> >> check at runtime the users's role for a specific endpoint and
>>>> deny
>>>> >> >> access
>>>> >> >> to the resource.
>>>> >> >> The big un-known to me is: how does KC client role (which is
>>>> some
>>>> >> static
>>>> >> >> config) relates to the runtime user's role coming from Idp.
>>>> >> >> Anyone has done this - am sure this is a common use case.
>>>> >> >> Whoever knows this please share.
>>>> >> >> Thank you and appreciate it.
>>>> >> >>
>>>> >> >>
>>>> >> >> _______________________________________________
>>>> >> >> keycloak-user mailing list
>>>> >> >> keycloak-user at lists.jboss.org
>>>> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >> >>
>>>> >> >
>>>> >>
>>>> >>
>>>> >>
>>>> >
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
>
>