Update DevServices for Keycloak to create authorization policies #21276

sberyozkin · 2021-11-08T15:06:18Z

This PR attempts to support running keycloak-authorization with DevServices for Keycloak without having to import a custom realm.
DevServices for Keycloak creates a default realm, client, users, roles when no custom realm is added. With this PR, authorization permissions will also be added, so given only a configuration like this one:

quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.devservices.authorization.paths.user=/api/users/me
quarkus.keycloak.devservices.authorization.paths.admin=/api/admin

quarkus-quickstarts/security-keycloak-authoroization-quickstart just works in the dev mode - a default user alice who has both admin and user roles can access both api/admin and api/users/me, while bob - with only a user role - can only access api/users/me.

@pedroigor, I've copied some code from integration-tests/keycloak-authorization/.../KeycloakTestResource to set up the basic permissions - for every configured role and path pair in quarkus.keycloak.devservices.authorization.paths this code is run, and more specifically this one (I'll clean it up a bit more - will try to generate unique names).

Now, starting quarkus-quickstarts/security-keycloak-authoroization-quickstart with the above configuration and mvn quarkus:dev produces:

Could not obtain configuration from server [http://localhost:32783/auth/realms/quarkus/.well-known/uma2-configuration].
	at org.keycloak.authorization.client.AuthzClient.<init>(AuthzClient.java:266)
	at org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:105)
	at org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:65)
	at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder.createPolicyEnforcer(KeycloakPolicyEnforcerRecorder.java:101)

Pedro, can you help a bit and recommend what else may have to be added to the client registration code ? I guess I need to copy something else from KeycloakTestResource but I'm not sure what :-)

thanks

pedroigor · 2021-12-15T14:55:43Z

@sberyozkin Can we hold this one a bit? The reason is that make this happen is a bit too complex due to how you configure resources/scopes/permissions/policies.

Secondly, we are planning some changes next year in authz and this area is one we should focus more to improve. For instance, have a more easy/clear spec to configure things.

gsmet · 2023-02-02T11:48:34Z

@sberyozkin I'm leaning towards closing this one? WDYT?

sberyozkin · 2024-01-02T11:48:49Z

I'm going to close this PR for now

Update DevServices for Keycloak to create authorization policies

8e59605

sberyozkin requested a review from pedroigor November 8, 2021 15:06

quarkus-bot bot added area/keycloak area/oidc labels Nov 8, 2021

gsmet added triage/needs-feedback We are waiting for feedback. triage/needs-rebase This PR needs to be rebased first because it has merge conflicts labels Feb 2, 2023

michalvavrik mentioned this pull request Apr 17, 2023

Extend Dev Services for Keycloak in Keycloak Authorization #21040

Closed

sberyozkin mentioned this pull request Oct 17, 2023

Remove custom Keycloak image code from the keycloak-authorization tests #36508

Merged

sberyozkin closed this Jan 2, 2024

quarkus-bot bot added the triage/invalid This doesn't seem right label Jan 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update DevServices for Keycloak to create authorization policies #21276

Update DevServices for Keycloak to create authorization policies #21276

sberyozkin commented Nov 8, 2021

pedroigor commented Dec 15, 2021

gsmet commented Feb 2, 2023

sberyozkin commented Jan 2, 2024

Update DevServices for Keycloak to create authorization policies #21276

Update DevServices for Keycloak to create authorization policies #21276

Conversation

sberyozkin commented Nov 8, 2021

pedroigor commented Dec 15, 2021

gsmet commented Feb 2, 2023

sberyozkin commented Jan 2, 2024