[keycloak-user] Policy enforcer without roles in token

Matteo Restelli mrestelli at cuebiq.com
Mon Nov 11 08:40:00 EST 2019


Hi Pedro,
thank you for your reply.
No, i wasn't the one who requested the feature, anyway i'm still interested
into it. Our use case includes several microservices (which represents
modules of our PaaS) which performs authorization checks against realm
based roles. Every microservices has each own client containing its
authorization checks.
Besides the PR (which is really really interesting and i hope it will be
included in further releases), what are your recommendations to reduce the
access token size? I'm asking this because in some browsers there are
limits (4KB) about cookies & headers length. I can imagine those solutions:

- Keep the token "light" and perform a token exchange into our gateway once
we receive the token from the single page application, in order to retrieve
a new token with all the realms roles associated to the user
- Use some particular mode of the adapter which will do the necessary to
retrieve the roles (but i can't find something like that in the docs)
- Use RPT? Once the gateway receives the access token, perform the RPT
request to retrieve a token with all the permissions for the particular
client
- Something else unknown to us? :)

Have you ever faced this kind of problem?

Thank you again,
Matteo

On Mon, Nov 11, 2019 at 1:20 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> We had a PR [1] for addressing this use case but it was closed due to not
> enough quorum to support the changes.
>
> While we should keep policy enforcement based on the state carried by
> tokens, I see as an improvement to also allow users, on a per-use case
> basis, to fetch roles directly from the realm instead, even if they are not
> available in the token.
>
> I can't remember now, but I'm wondering if was you that first requested
> this so I ended up working on these changes?
>
> Regards.
> Pedro Igor
>
> [1] https://github.com/keycloak/keycloak/pull/6163
>
> On Mon, Nov 11, 2019 at 5:43 AM Matteo Restelli <mrestelli at cuebiq.com>
> wrote:
>
>> Hi guys,
>> we’re experiencing issues about JWT access_token size and we were planning
>> to remove the “roles” claim as a default, so to remove the claim from the
>> access_token. Once we do that, the KC adapter / policy enforcer returns a
>> 403. So at this point, does the access_token must have the roles inside
>> it?
>> Or it’s another problem which is giving us the 403?
>>
>> Thank you!
>> Matteo
>>
>> --
>>
>> Like <https://www.facebook.com/cuebiq/> I Follow
>> <https://twitter.com/Cuebiq>I Connect
>> <https://www.linkedin.com/company/cuebiq>
>>
>>
>> This email is reserved
>> exclusively for sending and receiving messages inherent working
>> activities,
>> and is not intended nor authorized for personal use. Therefore, any
>> outgoing messages or incoming response messages will be treated as
>> company
>> messages and will be subject to the corporate IT policy and may possibly
>> to
>> be read by persons other than by the subscriber of the box. Confidential
>> information may be contained in this message. If you are not the address
>> indicated in this message, please do not copy or deliver this message to
>> anyone. In such case, you should notify the sender immediately and delete
>> the original message.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.


More information about the keycloak-user mailing list