Feature Request: authorization by checking realm or client specific roles

[lathspell]

Expected Behavior

It should be possible to restrict access to certain resources with access control lists that are based on OAuth2 roles.
The roles should be extracted from both, "realm_access.roles" as well as "resource_access.$client.roles".

Current Behavior

Access restrictions are only possible using groups but a common design is that groups are only used inside the OAuth2 server (e.g. Keycloak) for user-management and roles, which are inherited from the groups, are used in the backend apps (oauth2-proxy) to do the actual authorization.

Possible Solution

• extract roles from realm_access and resource_access
• implement configuration for access control lists

Maybe have a look at the abandoned Keycloak Gatekeeper. Quoting from its docs at https://github.com/louketo/louketo-proxy/blob/master/docs/user-guide.md:

    --enable-default-deny=true \
    --resources="uri=/admin*|roles=test1,test2" \
    --resources="uri=/backend*|roles=test1" \
    --resources="uri=/css/*|white-listed=true" \
    --resources="uri=/img/*|white-listed=true" \
    --resources="uri=/public/*|white-listed=true"

    By default the roles defined on a resource perform a logical AND so all roles specified must be present in the claims, this behavior can be altered by the require-any-role option however so as long as one role is present the permission is granted.

[NickMeves]

I think I'm working this here: #1107

Let me know if it covers what you need.

[lathspell]

#1107 ("Keycloak OIDC Provider") has a title that is a bit unspecific. Somewhere in the comments extracting roles and turning them into oauth2-proxy groups is mentioned, though.

Still, extracting JWT roles into OAuth2-Proxy "Groups" only solves half the problem. The other half is that the Gatekeeper example above lets you set different ACLs for different wildcard-paths.

Having this feature would make migrating from Keycloak/Louketo Gatekeeper zu OAuth2-Proxy much easier.

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[lathspell]

github-actions bot: please don't close this!

[evgenstein]

it's the same - #1360

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.