Keycloak roles and services under roles

[viachaslau-latushkin]

Hi Dear 3scale!

I am using 3scale apicast as api-getway - combining a lot of microservices and keycloak's token validation. Also configured validation for access to endpoints of each microservice according special roles from keycloak's token.

Right now each endpoint for each role covered by next lines

- methods:
  - GET
    resource_type: plain
    resource: ENDPOINT
  client_roles:
    - name: ROLE_FROM_KEYCLOAK_TOKEN
        client_type: plain
        client: KEYCLOAK_ROLE
        name_type: plain

3scale policies.yaml extremely big in this case.
Is there any way to combine each endpoint from each microservice under list of roles without duplicating line above?
Thank you in advance for any help.

[tkan145]

Hi, unfortunately the policy evaluate per ENDPOINT resource so it's necessary to include each config block per ENDPOINT.

Perhaps you can group similar endpoint together under resource ? i.e

example.com/foo/bar
example.con/foo/baz
example.com/foo/

to

example.com/foo/

or apply settings dynamically by changing resource_type to liquid and getting the endpoint from the claim. For example:

{
"client_roles": [
 {
    "name": "{{ jwt.aud }}",
    "name_type": "liquid",
    "client": "{{ jwt.aud }}",
    "client_type": "liquid"
   }
 ],
 "resource": "/{{ jwt.aud }}",
 "resource_type": "liquid"
}

Also I believe you already known this but if you are using an operator to deploy the gateway, you can also read from the configuration from the secret
https://github.com/3scale/3scale-operator/blob/master/doc/product-reference.md#PolicyConfigSpec