[keycloak-user] default permissions
Corentin Dupont
corentin.dupont at gmail.com
Tue Nov 21 07:58:21 EST 2017
Interesting, thanks!
On Tue, Nov 21, 2017 at 12:12 PM, Emilien Bondu <dev.ebondu at gmail.com>
wrote:
> Hi,
>
> As a first draft of an « unauthenticated » authz, you can have a look here
> :
>
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/ <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/>
>
> Interesting classes are :
>
> keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/adapter-core
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core>/src <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src>/main <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main>/java <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java>/org
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org>/keycloak <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org/keycloak>/adapters <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters>/
> UnauthenticatedActionsHandler.java
> keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/adapter-core
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core>/src <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src>/main <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main>/java <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/adapter-core/src/main/java>/org
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org>/keycloak <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org/keycloak>/adapters <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters>/authorization
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/adapter-core/src/main/java/org/keycloak/
> adapters/authorization>/UnauthenticatedPolicyEnforcer.java
> keycloak <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839>/adapters
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters>/oidc <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/adapters/oidc>/spring-security
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security>/src <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src>/main <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security/src/main>/java <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/src/main/java>/org
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security/src/main/java/org>/keycloak <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security/src/main/java/org/keycloak>/adapters <
> https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security/src/main/java/org/keycloak/adapters>/springsecurity
> <https://github.com/ebondu/keycloak/tree/KEYCLOAK-5839/
> adapters/oidc/spring-security/src/main/java/org/keycloak/
> adapters/springsecurity>/filter <https://github.com/ebondu/
> keycloak/tree/KEYCLOAK-5839/adapters/oidc/spring-security/
> src/main/java/org/keycloak/adapters/springsecurity/filter>/
> KeycloakUnauthenticatedActionsFilter.java
>
> Here a corresponding conf in spring to use it :
>
> <beans:bean id="keycloakScopeProcessingFilter"
> class="org.keycloak.adapters.springsecurity.filter.
> KeycloakUnauthenticatedActionsFilter"/>
> <http auto-config='false' pattern="/v1/public/**" entry-point-ref="authenticationEntryPoint"
> create-session="stateless" use-expressions="true">
> ...
>
> <custom-filter ref="keycloakScopeProcessingFilter"
> before="FORM_LOGIN_FILTER" />
> ...
> </http>
> Emilien
>
> > Le 10 nov. 2017 à 15:02, Pedro Igor Silva <psilva at redhat.com> a écrit :
> >
> > I'm glad to take a look on it and see how it could fit in our adapters.
> > Could you create a JIRA and give some link to your code so we can discuss
> > from there ?
> >
> > Thanks.
> >
> > On Fri, Nov 10, 2017 at 10:51 AM, Emilien Bondu <dev.ebondu at gmail.com>
> > wrote:
> >
> >> To achieve this, I implemented a KeycloakAnonymousActionsFilter filter
> to
> >> handle requests, associated to an AnonymousActionsHandler (extending the
> >> official AuthenticatedActionsHandler) and an AnonymousPolicyEnforcer
> (extending
> >> the official AbstractPolicyEnforcer). Do you think this code should be
> >> added to the official spring-adapter ?
> >>
> >>
> >> Le 10 nov. 2017 à 12:12, Pedro Igor Silva <psilva at redhat.com> a écrit :
> >>
> >> @Emilien Bondu, I was looking that thread again and now I'm wondering if
> >> you end up with something you can share.
> >>
> >> On Fri, Nov 10, 2017 at 9:07 AM, Emilien Bondu <dev.ebondu at gmail.com>
> >> wrote:
> >>
> >>> Hi,
> >>>
> >>> Maybe you should have a look here :
> >>>
> >>> http://lists.jboss.org/pipermail/keycloak-user/2017-March/009830.html
> >>>
> >>>
> >>> Le 10 nov. 2017 à 11:33, Pedro Igor Silva <psilva at redhat.com> a écrit
> :
> >>>
> >>> Hi,
> >>>
> >>> I think you could probably change your application and remove the
> >>> resources/paths you want to make public from the list of resources
> >>> protected by the adapter.
> >>>
> >>> On Thu, Nov 9, 2017 at 2:06 PM, Corentin Dupont <
> >>> corentin.dupont at gmail.com>
> >>> wrote:
> >>>
> >>> Another question: how to apply default authorizations?
> >>>
> >>> I want to protect my API with authorization in Keycloak. However some
> >>> resources should be open to the public, accessible without any bearer
> >>> token.
> >>> My idea was:
> >>> - create an "unregistered_user" composite role, containing some basic
> >>> roles
> >>> - create a "guest" user, with the unregistered_user role
> >>> - on the API server, if there is no token in the request I will get the
> >>> roles of the guest user and user them. If there is a token, I'll use
> that
> >>> user permissions.
> >>> What do you think of that process?
> >>>
> >>> Thanks
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>>
> >>>
> >>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list