Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support the dynamic KeycloakPolicyEnforcerAuthorizer tenants #17664

Closed
sberyozkin opened this issue Jun 3, 2021 · 1 comment · Fixed by #39643
Closed

Support the dynamic KeycloakPolicyEnforcerAuthorizer tenants #17664

sberyozkin opened this issue Jun 3, 2021 · 1 comment · Fixed by #39643
Labels
area/keycloak-authorization area/oidc kind/enhancement New feature or request
Milestone
3.14.0.CR1

Comments

@sberyozkin
Copy link
Member

sberyozkin commented Jun 3, 2021
edited
Loading

Description

KeycloakPolicyEnforcerAuthorizer tenants configured in application.properties are supported in 2.0.0.x but it is not possible to create them programmatically yet as can be done for OIDC tenants with TenantConfigResolver.

Implementation ideas

Add TenantPolicyConfigResolver which would accept RoutingContext and the current OIDC tenantId and return KeycloakPolicyEnforcerTenantConfig and have it injected in PolicyEnforcerResolver.

PolicyEnforcerResolver would check TenantPolicyConfigResolver first - if it returns KeycloakPolicyEnforcerTenantConfig then Function will be used to convert it to PolicyEnforcer - this function will be passed from KeycloakRecorder to PolicyEnforcerResolver in its constructor similarly to how it is done in OidcRecorder.

It should be enforced for web-app tenants only (as is already done for the configured web-app tenants) that the current OidcTenantConfig also has quarkus.oidc.roles.source=accesstoken. The current dynamic OidcTenantConfig is available as RoutingContext dynamic.tenant.config attribute.

A simple test would have to be added to integration-tests/keycloak-authorization - it already has one test for the configured non-default tenant - so another similar test should be added for the dynamically created one

CC @pedroigor
@sberyozkin sberyozkin assigned sberyozkin and unassigned sberyozkin Jun 3, 2021
@ethan-gallant ethan-gallant mentioned this issue Jun 8, 2021
Closed
@ethan-gallant
Copy link
Contributor

Hello!

I currently have a working implementation of this in #17750. Please let me know if anything should be changed or modified. The code is heavily inspired by the OIDC library which implements a very similar system.

Thank you for the guidance on how to implement this! :)

This was referenced Mar 10, 2024
Closed
Merged
This was referenced Mar 20, 2024
Merged
Merged
@quarkus-bot quarkus-bot bot added this to the 3.14 - main milestone Jul 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/keycloak-authorization area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
3.14.0.CR1
Development

Successfully merging a pull request may close this issue.

Add Keycloak Authorization dynamic tenant config resolution michalvavrik/quarkus
2 participants
@sberyozkin @ethan-gallant