[keycloak-user] Policy Enforcer in Spring Security Adapter

[ebondu]

Илья Король wrote
> Hi. Thanks for comment. Please could you share you configs or at least 
> what methods did you use? manual configuration in keycloak.json or 
> relying on resources defined in keycloak?

Both, all resources are defined in the keycloak.json (methods paths) and
also as resources in the keycloak server


Илья Король wrote
> And correct me if i'm wrong:
> 
> Authorization require RPT token, so for bearer-only client (backend) i 
> must provide this token, which is preliminary retrieved via Entitlement 
> api or UMA protocol?

You are right, I am using UMA protocol but it should also works with
Entitlement.


Илья Король wrote
> And how should be configured client in keycloak? as bearer-only or 
> confidential? As i said my application started only if i configured it 
> in keycloak as confidential (if make it as bearer-only it fails to start 
> and complains to credentials)

I configured the client as confidential.


Илья Король wrote
> Another thing that i didn't catch is resource method configuration (for
> instance):
> { "method": "DELETE", "scopes" : ["urn:app.com:scopes:delete"] }
> If i configure adapter to retrieve all resource settings from keycloak how
> can i configure methods for resources and its scopes in Keycloak Admin
> Console?

Methods and associated scopes are configured in the keycloak.json only.
Resources, scopes and associated policies are defined in keycloak.

A small extract from the conf :

keycloak.json :

{
   "realm": "...",
   "resource": "backend",
    ...
   "bearer-only": true,
   ...
   "policy-enforcer": {
      "create-resources":false,
      "user-managed-access": {
      },
      "enforcement-mode": "ENFORCING",
      "paths": [
         {
            "path": "/yourMethod",
            "methods": [
               {
                  "method": "POST",
                  "scopes": [
                     "urn:app:scopes:create"
                  ]
               },
	     ...
         }
      ]
   }
}

realm authz json :

{
  "allowRemoteResourceManagement": true,
  "policyEnforcementMode": "ENFORCING",
  "resources": [
    {
      "name": "My Resource",
      "uri": "/myMethod",
      "scopes": [
        {
          "name": "urn:app:scopes:create"
        },
       ...
    }],
    "policies": [...your policies],
     "scopes": [
    {
      "name": "urn:app:scopes:create"
    },
    ...
    ]




--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Policy-Enforcer-in-Spring-Security-Adapter-tp3324p3334.html
Sent from the keycloak-user mailing list archive at Nabble.com.