- improved code coverage

- updated docs

.circleci/config.yml

@@ -84,3 +84,9 @@ jobs:
       - run:
           name: lint example/express/express-service
           command: cd example/express/express-service && npm i && npm run lint
+      - run:
+          name: lint example/userToAdminAPI/frontend
+          command: cd example/userToAdminAPI/frontend && npm i && npm run lint
+      - run:
+          name: lint example/userToAdminAPI/express-service
+          command: cd example/userToAdminAPI/express-service && npm i && npm run lint

.github/workflows/nodejs.yml

@@ -47,5 +47,7 @@ jobs:
     - run:  cd example/chain-service-calls/service3 && npm i && npm run lint
     - run:  cd example/express/frontend && npm i && npm run lint
     - run:  cd example/express/express-service && npm i && npm run lint
+    - run:  cd example/userToAdminAPI/frontend && npm i && npm run lint
+    - run:  cd example/userToAdminAPI/express-service && npm i && npm run lint
 
 

README.md

@@ -12,6 +12,7 @@ Implementation [Keycloak](https://www.keycloak.org/) adapter for aws Lambda
 - supports AWS API Gateway, AWS Cloudfront with Lambda@Edge
 - Resource based authorization ( [Keycloak Authorization Services](https://www.keycloak.org/docs/latest/authorization_services/) )
 - works with non amazon services.
+- [Service to Service communication](./example/userToAdminAPI).
 - validate expiration of JWT token
 - validate JWS signature
 - supports "clientId/secret" and "client-jwt" credential types
@@ -29,6 +30,7 @@ npm install keycloak-lambda-authorizer -S
  - [Serverless example (Api gateway with lambda authorizer)](example/keycloak-authorizer/README.md)
  - [Example of expressjs middleware](example/express)
  - [Example of calling a chain of micro services, where each service is protected by its secured client](example/chain-service-calls)
+ - [Example of calling the Admin API Using the regular User Permissions (Role or Resource)](example/userToAdminAPI)
  - [CloudFront with Lambda:Edge example](example/keycloak-cloudfront/README.md)
  - [CloudFront with portal authorization (switching between security realms)](example/keycloak-cloudfront-portal)
 # How to use

__tests__/src/serviceAccountTest.js

@@ -0,0 +1,39 @@
+jest.mock('../../src/umaConfiguration');
+jest.mock('../../src/clientAuthorization');
+jest.mock('../../src/utils/optionsUtils');
+
+const { clientAuthentication } = require('../../src/clientAuthorization');
+
+const { serviceAccountJWT } = require('../../src/serviceAccount');
+
+const keycloakJson = () => ({
+  realm: 'lambda-authorizer',
+  'auth-server-url': 'http://localhost:8090/auth',
+  'ssl-required': 'external',
+  resource: 'lambda',
+  'verify-token-audience': true,
+  credentials: {
+    secret: '772decbe-0151-4b08-8171-bec6d097293b',
+  },
+  'confidential-port': 0,
+  'policy-enforcer': {},
+});
+
+describe('testing umaConfiguration', () => {
+  beforeEach(() => {
+    clientAuthentication.mockImplementation(async () => ({ access_token: 'access_token' }));
+  });
+
+  afterEach(() => {
+  });
+
+  test('test serviceAccountJWT with keycloakJson', async () => {
+    const token = await serviceAccountJWT(keycloakJson);
+    expect(token).toEqual('access_token');
+  });
+
+  test('test serviceAccountJWT with options', async () => {
+    const token = await serviceAccountJWT(null, { keycloakJson });
+    expect(token).toEqual('access_token');
+  });
+});

__tests__/src/umaConfigurationTest.js

@@ -18,6 +18,13 @@ const token = {
         'accessRole',
       ],
     },
+    resource_access: {
+      testClient: {
+        roles: [
+          'accessRole',
+        ],
+      },
+    },
     authorization: {
       permissions: [{ rsid: 'resourceId' }],
     },
@@ -30,6 +37,13 @@ const accessToken = {
       roles: [
         'accessRole',
       ],
+      resource_access: {
+        testClient: {
+          roles: [
+            'accessRole',
+          ],
+        },
+      },
     },
   },
 };
@@ -82,6 +96,19 @@ describe('testing umaConfiguration', () => {
     });
   });
 
+  test('test enforce client Role success', async () => {
+    await enforce(token, {
+      keycloakJson,
+      enforce: {
+        enabled: true,
+        clientRole: {
+          roleName: 'accessRole',
+          clientId: 'testClient',
+        },
+      },
+    });
+  });
+
   test('test access_token success', async () => {
     await enforce(accessToken, {
       cache,

example/userToAdminAPI/README.md

@@ -2,6 +2,13 @@
 
 This example allow to get list of users and List of security clients (with secrets) using regular user permissions.
 
+## How it works
+User calls the service API using their own token, but the service API calls Keycloak using the service account token (service-to-service communication)
+- **user has no administrator roles!!!**
+- service Account has Admin Roles ![](../../docs/serviceAccountRoles.png)
+- FrontEnd does not have access to call Admin Api.
+![](../../docs/UserToAdminAPI.png)
+
 ## 1. Start Keycloak
 
 ### Docker
@@ -36,14 +43,15 @@ npm run start
 
 users:
 
-| User      | Password   | Service Role |
-|:----------|:-----------|:-----------------|
-| user      | user       | X                |
-| user1     | user1      | -                |
+| User      | Password   | UserList Role    | Client List Role | Client Secret Role |
+|:----------|:-----------|:-----------------|:-----------------|:-------------------|
+| user      | user       | X                | X                | X                  |
+| user1     | user1      | -                | -                | -                  |
 
 ## 6. Results
 
 | User      | Result                                                                                                 | Description                                           |
 |:----------|:-------------------------------------------------------------------------------------------------------|:------------------------------------------------------|
-| User      |  Hi user. Your function executed successfully!                                                         | All Access                                            |
-| User1     |  Request failed with status code 403                                                                   | User has not access to express-service                |
+| User      |  User List, Client List with secrets                                                                   | All Access                                            |
+| User1     |  Client List with secrets                                                                              | User has access to  Client List  and secrets          |
+| User2     |  Client List without secrets                                                                           | User has access only to Client List                   |

example/userToAdminAPI/example-realm-export.json

@@ -447,44 +447,64 @@
   "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
   "webAuthnPolicyPasswordlessAcceptableAaguids": [],
   "users": [
-      {
-        "username" : "user",
-        "enabled": true,
-        "email" : "example-user@lambda-example",
-        "firstName": "Lambda",
-        "lastName": "User",
-        "credentials" : [
-          { "type" : "password",
-            "value" : "user" }
-        ],
-        "clientRoles": {
-          "admin-service": ["CLIENT-LIST-ROLE", "CLIENT-SECRETS-ROLE", "USER-LIST"]
+    {
+      "username": "user",
+      "enabled": true,
+      "email": "example-user@lambda-example",
+      "firstName": "Lambda",
+      "lastName": "User",
+      "credentials": [
+        {
+          "type": "password",
+          "value": "user"
         }
-      },{
-        "username" : "user1",
-        "enabled": true,
-        "email" : "example-user1@lambda-example",
-        "firstName": "Lambda",
-        "lastName": "User1",
-        "credentials" : [
-          { "type" : "password",
-            "value" : "user1" }
-        ],
-        "clientRoles": {
-          "admin-service": ["CLIENT-LIST-ROLE", "CLIENT-SECRETS-ROLE"]
+      ],
+      "clientRoles": {
+        "admin-service": [
+          "CLIENT-LIST-ROLE",
+          "CLIENT-SECRETS-ROLE",
+          "USER-LIST"
+        ]
+      }
+    },
+    {
+      "username": "user1",
+      "enabled": true,
+      "email": "example-user1@lambda-example",
+      "firstName": "Lambda",
+      "lastName": "User1",
+      "credentials": [
+        {
+          "type": "password",
+          "value": "user1"
         }
-      },{
-        "username" : "user2",
-        "enabled": true,
-        "email" : "example-user2@lambda-example",
-        "firstName": "Lambda",
-        "lastName": "User2",
-        "credentials" : [
-          { "type" : "password",
-            "value" : "user2" }
+      ],
+      "clientRoles": {
+        "admin-service": [
+          "CLIENT-LIST-ROLE",
+          "CLIENT-SECRETS-ROLE"
+        ]
+      }
+    },
+    {
+      "username": "user2",
+      "enabled": true,
+      "email": "example-user2@lambda-example",
+      "firstName": "Lambda",
+      "lastName": "User2",
+      "clientRoles": {
+        "admin-service": [
+          "CLIENT-LIST-ROLE"
         ]
       },
-      {
+      "credentials": [
+        {
+          "type": "password",
+          "value": "user2"
+        }
+      ]
+    },
+    {
       "id": "b096ed9f-1856-4867-9964-d9f44af7ea13",
       "createdTimestamp": 1620662224373,
       "username": "service-account-admin-service",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "keycloak-lambda-authorizer",
-  "version": "0.4.3",
+  "version": "0.5.0",
   "description": "Keycloak adapter for aws Lambda",
   "main": "index.js",
   "homepage": "https://github.com/vzakharchenko/keycloak-lambda-authorizer",
@@ -55,14 +55,14 @@
   "author": "vzakharchenko",
   "license": "Apache-2.0",
   "devDependencies": {
-    "@babel/plugin-transform-runtime": "^7.13.15",
+    "@babel/plugin-transform-runtime": "^7.14.3",
     "@babel/polyfill": "^7.12.1",
     "@babel/runtime": "^7.14.0",
     "babel-eslint": "^10.1.0",
     "coveralls": "^3.1.0",
-    "eslint": "^7.25.0",
+    "eslint": "^7.27.0",
     "eslint-config-airbnb": "^18.2.1",
-    "eslint-plugin-import": "^2.22.1",
+    "eslint-plugin-import": "^2.23.3",
     "jest": "^26.6.3"
   },
   "dependencies": {