NikiforovAll / keycloak-authorization-services-dotnet

Authentication and Authorization with Keycloak and ASP.NET Core 🔐
https://nikiforovall.github.io/keycloak-authorization-services-dotnet/
MIT License
480 stars 113 forks source link

is there the possibility to have stateless JWT-based role Authorization? #136

Open gabrielesilinic opened 2 months ago

gabrielesilinic commented 2 months ago

it is in fact possible via keycloak's access token JWT see what roles the user has, sometimes either adding built in mappers or specifiying the roles scope is necessary.

because of this I would like the asp.net [Authorize(Role = "MyRole")] to work properly in this stateless manner (where you don't have to ask the keycloak server). though I don't know if it already does that and I misconfigured something.

I may as well try to sketch up a prototype given some direction if the feature is not there yet.

NikiforovAll commented 2 months ago

It is a supported scenario:

Please see: https://nikiforovall.github.io/keycloak-authorization-services-dotnet/configuration/configuration-authorization.html

Also, to use ASP.NET Role Authorization, please enable Role claims transformation, see: https://nikiforovall.github.io/keycloak-authorization-services-dotnet/configuration/configuration-authorization.html#keycloak-role-claims-transformation

But, claims mapping works differently for API and MVC scenarios, so you might need to do extra work for MVC mapping. See: https://nikiforovall.github.io/keycloak-authorization-services-dotnet/examples/web-app-mvc.html#role-mapping

gabrielesilinic commented 2 months ago

It is a supported scenario:

Please see: https://nikiforovall.github.io/keycloak-authorization-services-dotnet/configuration/configuration-authorization.html

Also, to use ASP.NET Role Authorization, please enable Role claims transformation, see: https://nikiforovall.github.io/keycloak-authorization-services-dotnet/configuration/configuration-authorization.html#keycloak-role-claims-transformation

But, claims mapping works differently for API and MVC scenarios, so you might need to do extra work for MVC mapping. See: https://nikiforovall.github.io/keycloak-authorization-services-dotnet/examples/web-app-mvc.html#role-mapping

oh, okay. it worked to a degree. and I really thank you for that. the issue is that for some reason it seems to not like it when I try to set "All" instead of realm. also I am having troubles with groups. actually I believe I have to go a long way to figure out keycloak at all in the first place. probably I will let you know.

gabrielesilinic commented 2 months ago

@NikiforovAll So, in the end it is working out. though turns out I should not do that because the project I am working on has a lot of different applications therefore size of the bearer token is going to be insane. unfortunately even if unconventional I cannot elegantly map scopes either unless I use policies and keycloak won't allow (as far as I know) to reveal roles only according to the requested scopes, just all or nothing.

I will figure it out I guess.

gabrielesilinic commented 2 months ago

@NikiforovAll Hi again. I am not sure if I am stupid or what, but I can't seem to be able to make the protected resources thing to work the AuthenticationServer thing (which is the actual solution for my use case). do you happen to have an example web api application with also an example keycloak configuration that was proven to work?