[keycloak-user] Request for ${REALM} support for path field in policy enforcer (keycloak, json)
Pedro Igor Silva
psilva at redhat.com
Fri Apr 7 11:00:06 EDT 2017
Hi Stephane,
Interesting use case. But we do support patterns in paths ? Or are you
having some issue when including them in your paths ?
In that example, if you send a request to "/acme/operation/echo" it should
match "{REALM}/operation/*".
Regards.
Pedro Igor
On Fri, Apr 7, 2017 at 11:05 AM, Stephane Granger <
stephane.granger at gmail.com> wrote:
> Hi,
>
> It would be nice to be able to use ${REALM} in the path field of the policy
> enforcer config.
>
> The use case is to simplify (a bit) multi tenant support. I'm working on a
> system to support multiple tenants with many applications. When adding a
> tenant, a realm is created in keycloak. Then, the kecyloak clients are
> added in that realm based on the tenant application selection.
> Some of these clients use the authorization support feature and also use
> policy enforcer in their keycloak.config file.
>
> Our system has a small database containing the list of clients for each
> application, corresponding basically to the frontend and a backend of
> these applications. For each client, we have a client representation
> template, an optional resource server representation template. These are
> used to create the client configuration under the tenant's realm in
> keycloak when adding an application to a client.
>
> There is also have an optional policy enforcer field in the db. This one
> is used to create the keycloak configuration corresponding to the
> realm/client combination. We have a component called keycloak
> configuration builder. Its role is to retrieve the client configuration
> from keycloak and to add the corresponding policy enforcer. Since, we have
> multi tenant application, the realm is part of the url and therefore ends
> up in the path. For example, we have something like this:
>
> {
> "realm":"acme",
> ...
> "policy-enforcer": {
> "paths" : [
> {
> "name" : "Resource name",
> "path" : "/acme/operation/*",
> ""methods": [....]
> }
> ]
> }
>
> For this application, the policy enforcer config template would look like
> this:
>
> "policy-enforcer": {
> "paths" : [
> {
> "name" : "Resource name",
> "path" : "/${REALM}/operation/*",
> ""methods": [....]
> }...
> ]
> }
>
> It would be a lot simpler if the keycloak policy enforcer could use
> ${REALM} in the path. Currently, application developer will have to create
> their config using keycloak for their development, then extract the policy
> enforcer, and replace the realm in the paths with ${REALM}. Our keycloak
> configuration builder then have to substitute ${REALM} with the realm.
>
> Thanks,
> Stephane
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list