Quarkus和Keycloak:评估基于范围的权限 [英] Quarkus and Keycloak: evaluate scope based permission
问题描述
我有一个REST API,该API应该使用Keycloak来授权传入的请求.我在API中配置所需的范围时遇到问题.
在Keycloak中,我为我的API定义了一个客户端,一个调用服务的客户端和两个用户.两个用户都有一些领域角色.我的API的客户端定义了资源,一些范围(例如,读取,删除),策略和权限.
一种权限允许具有admin角色的用户对资源执行范围读取和删除.另一个允许具有监视角色的用户读取资源.
我了解将对照Keycloak客户端资源中定义的路径检查端点的路径.
I have a REST API, that should use Keycloak for authorizing incoming requests. I have problems with configuring desired scopes in my API.
In Keycloak I defined a client for my API, a client for the calling service and two users. Both users have some realm roles. The client for my API defines a resource, some scopes (eg read, delete), policies and permissions.
One permissions allows an user with the admin role to perform scopes read and delete on the resource. The other allows an user with the monitoring role to read the resource.
I understand that the path of my endpoint will be checked against the path defined in the Keycloak client resource.
我在这里的具体问题是我不知道如何告诉端点他需要哪个范围.
My concrete problem here is that I don't know how to tell my endpoint, which scopes he needs.
最后,我希望有多个端点具有相同的路径但作用域不同(对于每个HTTP方法).
In the end I want to have multiple endpoints with the same path but different scopes (for each HTTP method).
这是我的示例配置:
quarkus.http.port=8080
quarkus.resteasy.path=/api
quarkus.oidc.auth-server-url=https://myUrl:8443/auth/realms/enaq
quarkus.oidc.client-id=rest-api
quarkus.oidc.credentials.secret=secret-string
quarkus.oidc.enabled=true
quarkus.application.name=keycloak-test-api
quarkus.application.version=0.0.1
quarkus.keycloak.policy-enforcer.enable=true
这是一个示例实现:
@Path("/measurements")
public class MeasurementResource {
@Autowired
MeasurementService delegate;
@GET
@Path("/{id}/{from}/{to}/{resolution}")
@Produces(MediaType.APPLICATION_JSON)
public MeasurementHistory getMeasurementHistory(@PathParam("id") String deviceId, @PathParam("from") Long from,
@PathParam("to") Long to, @PathParam("resolution") Integer resolution) {
return delegate.getMeasurementHistory(from, to, resolution, deviceId);
}
}
在我的示例中,将评估我的权限,但只有管理员可以访问.监视用户将被拒绝,尽管他应该能够阅读.
In my example my permissions will be evaluated, but only the admin gets access. The monitoring user will be denied, although he should be able to read.
推荐答案
为了定义应受保护的确切范围并将它们映射到适当的HTTP动词,您应按照记录的
In order to define the exact scopes that should be protected and map them to the appropriate HTTP verb, you should configure the policy enforcer as documented here.
在Quarkus上还没有文档显示如何将其映射到属性(application.properties),但是这样做很简单.您可以从
There is no documentation on Quarkus side yet that shows how to map that to properties (application.properties) but it should be quite trivial to do so. You can grab an example from here.
另一个选项是设置quarkus.keycloak.policy-enforcer.http-method-as-scope=true.这样,您的资源将与GET,POST,DELETE等范围相关联.策略执行程序将相应地执行访问,而不会强制您在配置文件中映射路径.
Another option is to set the quarkus.keycloak.policy-enforcer.http-method-as-scope=true. By doing that, your resources would be associated with scopes such as GET, POST, DELETE, etc. And the policy enforcer will enforce access accordingly without forcing you to map paths in your configuration file.
这篇关于Quarkus和Keycloak:评估基于范围的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
