[keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called.

Alexey Titorenko titorenko at dtg.technology
Fri Feb 1 09:03:18 EST 2019 

Thank you, guys!


> On 1 Feb 2019, at 14:35, Dmitry Telegin <dt at acutus.pro> wrote:
> 
> Oh, no need for Alexey to go to keycloak-dev, since Pedro is already here :)
> 
> Please see my answer above, I've been able to reproduce the issue and trace it down to the AbstractPolicyEnforcer::getClaims().
> 
> Dmitry
> 
> On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote:
>> Hi,
>> 
>> Could you share the code for your custom CIP, please ? Are you sure the
>> factory's name is the same as what you defined in your adapter
>> configuration ?
>> 
>> Regards.
>> Pedro Igor
>> 
>> On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko <titorenko at dtg.technology>
>> wrote:
>> 
>>> Hello guys!
>>> 
>>> Can someone help me please with the following problem.
>>> 
>>> I need to configure context based access control for my REST-service, when
>>> attributes of the protected resources are pushed to Keycloak server for
>>> policy evaluation. Protected service is built on Spring Boot.
>>> 
>>> I’ve configured the system and all works fine with OOTB Claim Information
>>> Point provider ‘claims’. But I need a custom one. And this custom CIP is
>>> not working. I see from the debug logging, that policy enforcer calls
>>> ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’,
>>> thus, never instantiates the CIP.
>>> 
>>> Below are application.properties for Spring boot and CIP config file. My
>>> custom CIP Provider has ‘document’ name. I call both /documents/- Get an
>>> 
>>> Thank you,
>>> Alexey
>>> 
>>> application.properties
>>> ----------------------------------
>>> svc.name=docs-uma
>>> server.port = 8085
>>> keycloak.realm=DemoApp
>>> keycloak.auth-server-url=http://localhost:8180/auth
>>> keycloak.ssl-required=external
>>> keycloak.resource=docs-svc-uma
>>> keycloak.cors=true
>>> keycloak.use-resource-role-mappings=true
>>> keycloak.verify-token-audience=false
>>> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
>>> keycloak.confidential-port=0
>>> keycloak.bearer-only=true
>>> 
>>> keycloak.securityConstraints[0].securityCollections[0].name = secured
>>> operation
>>> keycloak.securityConstraints[0].authRoles[0] = user
>>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
>>> /documents
>>> keycloak.securityConstraints[0].securityCollections[0].patterns[1] =
>>> /documents/
>>> 
>>> keycloak.securityConstraints[1].securityCollections[0].name = admin
>>> operation
>>> keycloak.securityConstraints[1].authRoles[0] = admin
>>> keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
>>> keycloak.securityConstraints[1].securityCollections[0].patterns[1] =
>>> /admin/
>>> 
>>> logging.level.org.keycloak=DEBUG
>>> 
>>> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
>>> 
>>> # policy enforcer
>>> keycloak.policy-enforcer-config.lazy-load-paths=true
>>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public
>>> 
>>> keycloak.policy-enforcer-config.paths[0].name=Public Resources
>>> keycloak.policy-enforcer-config.paths[0].path=/*
>>> 
>>> keycloak.policy-enforcer-config.paths[1].name=Document creation
>>> keycloak.policy-enforcer-config.paths[1].path=/documents/*
>>> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
>>> 
>>> keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
>>> 
>>> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
>>> 
>>> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
>>> 
>>> keycloak.policy-enforcer-config.paths[2].name=Document List
>>> keycloak.policy-enforcer-config.paths[2].path=/documents
>>> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
>>> 
>>> keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
>>> 
>>> keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
>>> 
>>> keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
>>> 
>>> keycloak.policy-enforcer-config.paths[3].name=Admin Resources
>>> keycloak.policy-enforcer-config.paths[3].path=/admin/*
>>> 
>>> keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
>>> 
>>> keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
>>> 
>>> 
>>> 
>>> META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
>>> ------------------------------------------------------------------------
>>> 
>>> dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list