New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: authorization by checking realm or client specific roles #1162
Comments
I think I'm working this here: #1107 Let me know if it covers what you need. |
#1107 ("Keycloak OIDC Provider") has a title that is a bit unspecific. Somewhere in the comments extracting roles and turning them into oauth2-proxy groups is mentioned, though. Still, extracting JWT roles into OAuth2-Proxy "Groups" only solves half the problem. The other half is that the Gatekeeper example above lets you set different ACLs for different wildcard-paths. Having this feature would make migrating from Keycloak/Louketo Gatekeeper zu OAuth2-Proxy much easier. |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
github-actions bot: please don't close this! |
it's the same - #1360 |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
Expected Behavior
It should be possible to restrict access to certain resources with access control lists that are based on OAuth2 roles.
The roles should be extracted from both, "realm_access.roles" as well as "resource_access.$client.roles".
Current Behavior
Access restrictions are only possible using groups but a common design is that groups are only used inside the OAuth2 server (e.g. Keycloak) for user-management and roles, which are inherited from the groups, are used in the backend apps (oauth2-proxy) to do the actual authorization.
Possible Solution
Maybe have a look at the abandoned Keycloak Gatekeeper. Quoting from its docs at https://github.com/louketo/louketo-proxy/blob/master/docs/user-guide.md:
The text was updated successfully, but these errors were encountered: