[keycloak-user] Authorization issue (missing customized provider roles)

Luis Villaça luis.villaca at gmail.com
Fri Mar 2 08:28:34 EST 2018 

Greetings,

I am implementing a strategy to reuse our company´s authentication /
authorization strategy with Keycloak. I´ve read the documentation and
started a use case based on the links below:

http://www.keycloak.org/docs/3.3/server_development/topics/providers.html#providers
http://www.keycloak.org/docs/3.0/server_development/topics/user-storage/simple-example.html

So far I have a class that implements UserStorageProviderFactory and
instantiates my own Provider (implementing UserStorageProvider,
UserLookupProvider and CredentialInputValidator). For the last one
I´ve overridden the method "isValid..", where I am validating
UserModel by calling our solution, using credentials captured in
Keycloak login screen, which works fine.

Now, at this same place I am also setting this user´s roles (those
roles were never included in Keycloak Realm, I am pulling from my
provider), and the way I was able to push those into UserModel was
calling grantRole method of my UserModel, and providing a UserAdapter
for that (AbstractUserAdapter throws a ReadOnlyException). I am able
to include my roles by using getRoleMappingsInternal (I  use  my own
Set<RoleModel>), so that in my SpringBoot configuration I am able to
use the setting bellow:
.antMatchers("/monitoring/**").hasRole("MONITOR_PORTAL")

The issue starts only when my access token lifespan expires (I´ve test
it with different settings). It does a call to keycloak, retrieves the
authenticated User, redirects back to my app, but the role I included
right after I logged in is lost.

I couldn´t find anywhere in the server how to adjust this behavior, or
at least some point to intercept the event of token refresh. So I
couple questions here:

1) Am I in the right path? Maybe I am overcomplicating something that
should be simpler.
2) How is UserModel rebuilt after refreshing the token?
3) Is there another SPI interface indicated for my case?

Appreciate your attention, thanks in advance!

Follow my SpringBoot settings:

application.yml
=============
keycloak:
  realm: SpringBootCA4
  auth-server-url: http://10.30.211.101:8081/auth
  ssl-required: external
  resource: dashboard
  credentials:
    secret: 2xxxxxxf
  autodetect-bearer-only: true
  confidential-port: 0
  principal-attribute: preferred_username

build.gradle
===========
    compile("org.springframework.boot:spring-boot-starter-web")
    testCompile("org.springframework.boot:spring-boot-starter-test")
    compile group: 'javax.servlet', name: 'javax.servlet-api', version: '4.0.0'
    compile group: 'org.json', name: 'json', version: '20171018'
    compile group: 'org.apache.poi', name: 'poi-ooxml', version: '3.17'
    compile group: 'commons-io', name: 'commons-io', version: '2.6'
    compile group: 'mysql', name: 'mysql-connector-java', version: '6.0.6'
    compile group: 'org.springframework.boot', name:
'spring-boot-starter-security', version: '1.5.10.RELEASE'
    compile group: 'org.keycloak', name: 'keycloak-tomcat8-adapter',
version: '3.4.3.Final'
    compile group: 'org.keycloak', name:
'keycloak-spring-boot-adapter', version: '3.4.3.Final'

More information about the keycloak-user mailing list