Feature Request: authorization by checking realm or client specific roles #1162
Description
Expected Behavior
It should be possible to restrict access to certain resources with access control lists that are based on OAuth2 roles.
The roles should be extracted from both, "realm_access.roles" as well as "resource_access.$client.roles".
Current Behavior
Access restrictions are only possible using groups but a common design is that groups are only used inside the OAuth2 server (e.g. Keycloak) for user-management and roles, which are inherited from the groups, are used in the backend apps (oauth2-proxy) to do the actual authorization.
Possible Solution
- extract roles from realm_access and resource_access
- implement configuration for access control lists
Maybe have a look at the abandoned Keycloak Gatekeeper. Quoting from its docs at https://github.com/louketo/louketo-proxy/blob/master/docs/user-guide.md:
--enable-default-deny=true \
--resources="uri=/admin*|roles=test1,test2" \
--resources="uri=/backend*|roles=test1" \
--resources="uri=/css/*|white-listed=true" \
--resources="uri=/img/*|white-listed=true" \
--resources="uri=/public/*|white-listed=true"
By default the roles defined on a resource perform a logical AND so all roles specified must be present in the claims, this behavior can be altered by the require-any-role option however so as long as one role is present the permission is granted.