KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters #6448
Conversation
sushil-singh-guavus
changed the title
stianst
added
Discuss
missing/docs
|
Hi, thanks for your PR. Can you please open a discussion around this on the dev ML? |
|
Hi ,
Actually I am already in discussion with Pedro Igor Silva . Do i need to open another dicussion ?
…________________________________
From: Stian Thorgersen <notifications@github.com>
Sent: 08 November 2019 12:40
To: keycloak/keycloak <keycloak@noreply.github.com>
Cc: Sushil Singh <sushil.singh@guavus.com>; Author <author@noreply.github.com>
Subject: Re: [keycloak/keycloak] KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters (#6448)
Hi, thanks for your PR. Can you please open a discussion around this on the dev ML?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#6448?email_source=notifications&email_token=AL2BDR656Z5VT6BL7LCYBDLQSUGGTA5CNFSM4JJIPMAKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDO6I5Y#issuecomment-551412855>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AL2BDR22SMNZ6JUWO5MBLHLQSUGGTANCNFSM4JJIPMAA>.
|
|
Where? It would be good to have the discussion openly on the dev ML. |
Actually it is going on mail |
@stianst the JIRA provides some background and a document with more details about what @sushil-singh-guavus is proposing. I asked him to send the PR so that we could understand better the use-case and start discussing the changes. |
There was a problem hiding this comment.
@sushil-singh-guavus, now that we have the code and based on the description you have in the doc (attached to the JIRA), the intent is much more clear.
Correct me if I'm wrong, please. The objective here can be summarized as follows:
-
As a user I want to programmatically check whether or not a request is authorized to access a protected resource, so that I can pass the resource identifier/name and/or the set of scopes
-
As a user I want to be able to programmatically manage resources (CRUD) so that I can manage the resources that should be protected by Keycloak
If my assumption is correct, I think we can solve that differently by leveraging the AuthorizationContext class, which is available from the KeycloakSecurityContext that is usually available in the request scope.
The AuthorizationContext already provides methods for checking permissions, but today, they rely on any permissions carried by the token and do not interact with the server if no permission (for a resource/scope) is available.
It seems to me that we can simplify this implementation while addressing the same requirements.
In fact, recently, we have implemented a policy enforcer for Quarkus`which provides a similar approach to check permissions programmatically. While it also does not interact with the server to query for permissions, the hook is there to adapt and enhance programmatic authorization.
Please, let me know your thoughts about what I said.
@pedroigor Based on my understanding , When it comes to AuthorizationContext , it has methods to check permission for resource and a scope. So even if we extend it's functionalities for eg-: [Resource , Set of Scopes] , it won't be able to provide UMA and other functionalities that the policy-enforcer provides as it directly work on tokens In our case client may not know the permission to be able to access that resource and scope. So firstly it will just call with an access token and based on the permission ticket , it will bring out the RPT We have seen most of the options and then decided that policy-enforcer functionalities is what we are looking for , but some what in a custom fashion Following things are there in PolicyEnforcer flow and needed for us
So, that's why I created CustomEnforcer functionality which can be enabled using keycloak.json. And you just specify the map of <resource , Set programatically. and just call the custom enforcer function. It will authenticate , authorize and set the applicable response status. Here I am using PolicyEnforcer caching , wildcardresource matching , Lazy loading and have customized UMA flow based on "Map<Resource, Set of scopes>" So , I am afraid that extending functionality of AuthorizationContext won't work for us. I hope things are clear from my side , and also i will request to correct me if I am wrong somewhere |
|
Didn't see any email about this on the dev ML yet. Could you please open a thread there so others can participate if they want to? |
|
Can you tell the mail ID of dev mailing list. I have mailed on keycloak-users but don't know the dev mail id
Get Outlook for Android<https://aka.ms/ghei36>
…________________________________
From: Stian Thorgersen <notifications@github.com>
Sent: Monday, November 11, 2019 6:17:02 PM
To: keycloak/keycloak <keycloak@noreply.github.com>
Cc: Sushil Singh <sushil.singh@guavus.com>; Mention <mention@noreply.github.com>
Subject: Re: [keycloak/keycloak] KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters (#6448)
Didn't see any email about this on the dev ML yet. Could you please open a thread there so others can participate if they want to?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#6448?email_source=notifications&email_token=AL2BDR5RF336WSMWBWQS6ETQTFH4NA5CNFSM4JJIPMAKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDWXB6A#issuecomment-552431864>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AL2BDRZRZ4MNFTSUJN6MSJLQTFH4NANCNFSM4JJIPMAA>.
________________________________
From: Stian Thorgersen <notifications@github.com>
Sent: Monday, November 11, 2019 6:17:02 PM
To: keycloak/keycloak <keycloak@noreply.github.com>
Cc: Sushil Singh <sushil.singh@guavus.com>; Mention <mention@noreply.github.com>
Subject: Re: [keycloak/keycloak] KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters (#6448)
Didn't see any email about this on the dev ML yet. Could you please open a thread there so others can participate if they want to?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#6448?email_source=notifications&email_token=AL2BDR5RF336WSMWBWQS6ETQTFH4NA5CNFSM4JJIPMAKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDWXB6A#issuecomment-552431864>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AL2BDRZRZ4MNFTSUJN6MSJLQTFH4NANCNFSM4JJIPMAA>.
|
|
@sushil-singh-guavus check out https://www.keycloak.org/community for details on ML. @pedroigor started a thread on this there, so let's continue the discussion on the ML |
|
@stianst @pedroigor , It's been pending for a lot of days . I have created a quickstart https://github.com/sushil-singh-guavus/keycloak-quickstarts/tree/keycloak-11300-quickstarts Can you check !! |
|
Was a discussion opened on the dev mailing list around this? If so what was the conclusion here? From my perspective this may seem a bit to complex and seems like something we may not want to consider. @pedroigor wdyt? |
stianst
added
status/needs-discussion
|
@stianst We had some discussion, can't find now the thread. But we ended up with this PR. @sushil-singh-guavus After looking at your quickstart, I think I see now what you really want. And I still think we can do something along the lines with what I mentioned before. It seems that we could just change the Pretty much what you have here https://github.com/sushil-singh-guavus/keycloak/commits/keycloak-11300? I'm not sure whether or not the changes herein are really needed by those from your branch. |
pedroigor
added
the
area/authorization-services
|
@pedroigor , I am fine with the changes suggested by you that i have modified a bit because some things were breaking in https://github.com/sushil-singh-guavus/keycloak/commits/keycloak-11300 |
|
@sushil-singh-guavus I see, so I think we should just have this PR with the changes you have in https://github.com/sushil-singh-guavus/keycloak/commits/keycloak-11300 plus the additional method and related changes to the Makes sense ? It should be much simpler, I think. |
pedroigor
added
kind/enhancement
|
@pedroigor right !! Hi pedro, Correct me If I am wrong but I think changes related to passing map as a parameter is there in https://github.com/sushil-singh-guavus/keycloak/commits/keycloak-11300 I have also demonstrated that in quickstart also how we can use that Let me put it here also, AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext(); |
|
Yeah, so we should just change this PR to have that instead of all the changes herein ... |
This PR was created from https://github.com/sushil-singh-guavus/keycloak/tree/feature/custom-policy-enforcer plzz suggest |
|
Changes from keycloak-11300. They are enough, right? |
yes correct all changes are there in https://github.com/sushil-singh-guavus/keycloak/commits/keycloak-11300 , I just want to know what needs to be changed from my side in this PR |
|
It has been a while and plans have changed. We are avoiding drastic changes to this area of Keycloak. Sorry and thanks for your contribution. |
KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters
https://issues.jboss.org/browse/KEYCLOAK-11300