[keycloak-user] keycloak authorization services (enforcer) with RPC API - GraphQL or GRPC

Eugen Stan ieugen at netdava.com
Wed Feb 27 11:15:06 EST 2019


I'm trying to figure out how to work with the Authorization Services and
a RPC style API.

For reference, I'm using spring boot, graphql-java and
graphql-java-tools and keycloak spring security adapter.

I wish to know how can I call the enforcer pragmatically in my graphql

Since I am not using http paths I need to build the authorization
request depending on which resolver is called.

Some of the API requests are public - they don't require user

Some are private and require user authentication and authorization. 


We have a GraphQL based API that we would like to expose. It's also
multi-tenant and a User (in Keycloak) can be a member of  multiple tenants.

What I am trying to achieve is to secure access to resource like
/{org_id}/project/{id} (complex version) or /account/{org_id} - (simple

I would like to call the enforcer at the begining of each resolver and
build the authorization request there - also providing the tenant id for


I managed to make the integration work and I can get the AccessToken :

How can I make the authorization call and provide the tenant ID to the
policy as a claim?

I know about [cip-spi], just not clear how to make things happen.

I imagine I have to build a resource like /{org_id}/project/{id} and
provide the tenant_id and id values.

public class QueryResolver implements GraphQLQueryResolver {

  public CompletableFuture<Project> getProject(Long id, Long tenanID,
DataFetchingEnvironment dfe) {
HttpServletRequest req =
        ((GraphQLContext) dfe.getExecutionContext().getContext())
            .orElseThrow(() -> new IllegalStateException("Request object
is missing"));
    KeycloakAuthenticationToken authToken =
(KeycloakAuthenticationToken) req.getUserPrincipal();
    if (authToken != null) {
      // we have authenticated user
      KeycloakPrincipal principal = (KeycloakPrincipal)
      AccessToken accessToken =
      log.info("Authenticated with {}", accessToken.getEmail());
    } else {
      log.info("User not authenticated ");




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190227/b6d979c9/attachment.bin 

More information about the keycloak-user mailing list