[keycloak-user] Policy Enforcer in Spring Security Adapter

Илья Король llivezking at gmail.com
Mon Mar 27 02:51:40 EDT 2017


Does Spring Security Adapter completely support Keycloak Authorization
Capabilities?
We use Keycloak 2.5.5, and trying to use authorization features of keycloak.

1. First time i tried to enable authorization for <bearer-only> client. In
admin console i set client type to <bearer-only> then i defined resource
/profile, rule-policy (is ROLE_USER granted) and permission for /profile
resource with mentioned policy.

Keycloak gave me following config:
{
  "realm": "test",
  "bearer-only": true,
  "auth-server-url": "http://localhost:8081/auth",
  "ssl-required": "external",
  "resource": "apps-backend",
  "credentials": {
    "secret": "74070785-cabf-4d28-83d7-f2dc31f081f5"
  },
  "policy-enforcer": {}
}

At start application failed due client configured as <bearer-only> in
keycloak so i changed it to confidential
(in keycloak.json it remains as "bearer-only": true)

when application starts i can see log messages that paths could not be
found, so adapter takes them from keycloak server.

next if i try to send request via postman with "Authentication": "Bearer
${access_token}" (token retrieved from keycloak via another direct_grant
client) i can see that adapter recognized realm roles, but there is nothing
in logs about anything related to permissions or authorization.

After RTFM i realized that i should use PRT token. So i got it via
Entitlement API and repeat request to application with RPT as bearer token
(according to documentation). But nothing changes.

Also if i try to get AuthorizationContext i will get null:

        Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
        KeycloakPrincipal principal = (KeycloakPrincipal)
auth.getPrincipal();

        principal.getKeycloakSecurityContext().getAuthorizationContext()
  // THERE i GOT NULL

Then i tried to manually add all resource configs to adapter config
(keycloak.json). Nothing changes except that if i define some scopes for
resource in logs i get "... scopes: [] ..."

Then i tried to configure client similarly to "photoz-restful-api" (from
keycloak/examples/authz/photoz/photoz-restful-api/) so in keycloak client
configured as confidential with standard-flow but in adapter config it set
to "bearer-only". Fail again(

So i don't know to which direction i should dig. Is there my mistakes or
Spring Adapter does not fully support these features.

Another question for that i didn't find clear answer in documentation is
when and how Policy Enforcer works? For example if i make GET request to
/resource should i manually check AuthorizationContext for appropriate
permissions or Policy Enforcer will recognize requested path and challenge
permissions from provided bearer (RPT?) token before request processing
achieve any controller code?


P.S. here some slice of RPT token (token for admin user which has
permissions for all resources - keycloak evaluation page states that i my
configuration is right):

  "realm_access": {
    "roles": [
      "ROLE_USER",
      "ROLE_ADMIN"
    ]
  },
  "resource_access": {
    "realm-management": {
      "roles": [
        "view-identity-providers",
        "view-realm",
        "manage-identity-providers",
        "impersonation",
        "realm-admin",
        "create-client",
        "manage-users",
        "view-authorization",
        "manage-events",
        "manage-realm",
        "view-events",
        "view-users",
        "view-clients",
        "manage-authorization",
        "manage-clients"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "authorization": {
    "permissions": [
      {
        "resource_set_id": "1faf5618-6229-4919-80f9-971eeae2330d",
        "resource_set_name": "User Profile"
      },
      {
        "scopes": [
          "urn:apps-backend-second:scopes:profile:userinfo:edit",
          "urn:apps-backend-second:scopes:profile:userinfo:view"
        ],
        "resource_set_id": "5d9fdee7-7d14-4a16-9800-2adc25734463",
        "resource_set_name": "User Info"
      },
      {
        "scopes": [
          "urn:apps-backend-second:scopes:profile:permissions:view"
        ],
        "resource_set_id": "33ed1b64-9d4c-445c-a59d-e5090d67c549",
        "resource_set_name": "User Permissions"
      }
    ]
  }


More information about the keycloak-user mailing list