[keycloak-user] keycloak authorization services (enforcer) with RPC API - GraphQL or GRPC

Pedro Igor Silva psilva at redhat.com
Wed Feb 27 11:26:58 EST 2019 

This looks interesting. Have you checked this part of the docs [1] ?

In a nutshell, in order to push arbitrary claims to your policies, you use
a specific request parameter when sending an authorization request to the
token endpoint. The value of this parameter is a JSON in Base64 format.

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims


On Wed, Feb 27, 2019 at 1:17 PM Eugen Stan <ieugen at netdava.com> wrote:

> Hello,
>
> I'm trying to figure out how to work with the Authorization Services and
> a RPC style API.
>
> For reference, I'm using spring boot, graphql-java and
> graphql-java-tools and keycloak spring security adapter.
>
> I wish to know how can I call the enforcer pragmatically in my graphql
> resolvers.
>
> Since I am not using http paths I need to build the authorization
> request depending on which resolver is called.
>
> Some of the API requests are public - they don't require user
> authentication.
>
> Some are private and require user authentication and authorization.
>
> *Background*
>
> We have a GraphQL based API that we would like to expose. It's also
> multi-tenant and a User (in Keycloak) can be a member of  multiple tenants.
>
> What I am trying to achieve is to secure access to resource like
> /{org_id}/project/{id} (complex version) or /account/{org_id} - (simple
> version)
>
> I would like to call the enforcer at the begining of each resolver and
> build the authorization request there - also providing the tenant id for
> authorization.
>
> *Example*
>
> I managed to make the integration work and I can get the AccessToken :
>
> How can I make the authorization call and provide the tenant ID to the
> policy as a claim?
>
> I know about [cip-spi], just not clear how to make things happen.
>
> I imagine I have to build a resource like /{org_id}/project/{id} and
> provide the tenant_id and id values.
>
>
> public class QueryResolver implements GraphQLQueryResolver {
>
>   public CompletableFuture<Project> getProject(Long id, Long tenanID,
> DataFetchingEnvironment dfe) {
> HttpServletRequest req =
>         ((GraphQLContext) dfe.getExecutionContext().getContext())
>             .getHttpServletRequest()
>             .orElseThrow(() -> new IllegalStateException("Request object
> is missing"));
>     KeycloakAuthenticationToken authToken =
> (KeycloakAuthenticationToken) req.getUserPrincipal();
>     if (authToken != null) {
>       // we have authenticated user
>       KeycloakPrincipal principal = (KeycloakPrincipal)
> authToken.getPrincipal();
>       AccessToken accessToken =
> principal.getKeycloakSecurityContext().getToken();
>       log.info("Authenticated with {}", accessToken.getEmail());
>     } else {
>       log.info("User not authenticated ");
>     }
>   }
>
>
> Thanks,
>
> Eugen
>
>
> [1]
>
> https://www.keycloak.org/docs/4.8/authorization_services/#claim-information-provider-spi
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list