search

adorsys / keycloak-config-cli

Import YAML/JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
Apache License 2.0
714 stars 134 forks source link

How to apply a policy from realm-management in client using the cli #648

Closed dowhiletrue closed 2 years ago

dowhiletrue commented 2 years ago

The minimal json in https://github.com/adorsys/keycloak-config-cli/issues/231#issue-727402130 creates a policy esb-token-exchange in the client realm-management. If fine-grainded authorization (keycloak.profile.feature.admin_fine_grained_authz=enabled) is enabled, the policy esb-token-exchange can be applied in client esb-token-exchange afterwards: fine-grained-permission configure-permission

An export of the realm now contains additional entries in authorizationSettings.resources and authorizationSettings.policies having an UUID set in their name e.g.:

{
            "name": "client.resource.281acc18-5bb8-4740-9886-946bb633d489",
            "type": "Client"
}

I wonder how these policies can be applied using the cli?

Env:

jkroepke commented 2 years ago

Hi @dowhiletrue,

by default, the input definition of the CLI is the same as an export format of a realm. I have no idea, if the UUID is random OR the UUID is related to the client itself.

I never worked with admin_fine_grained_authz. Is it possible to describe the flow in the UI, how I can configure the policies inside the Keycloak step by step? Then I can look into it.

dowhiletrue commented 2 years ago

Hi @jkroepke

Sure, here it is:

1) add JAVA_OPTS: '-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled' in environment in docker-compose.yml and start the keycloak containter 1) create a new realm: fine-grained 1) add new group with name client-admin-group 1) add new client using defaults and name it fine-grained-permission-client 1) navigate to the brand-new tab Permissions and set Permissions Enabled to ON 1) click Configure 1) select Create Policy and select Group 1) Enter clientadmin-policy as name and select client-admin-group, hit Save

This should enable users in the group client-admin-group to configure fine-grained-permission-client

In realm-management -> Authorization -> Policies the clientadmin-policy appears and Dependent Permissions underneath contains the client with UUID, something like configure.permission.client.[UUID]. A full export now contains the newly created entry in authorizationSettings.resources and authorizationSettings.policies

Similar use-cases can be found here

jkroepke commented 2 years ago

Hi,

thanks for provide a step by step manual.

I look into it, and keycloak-config-cli currently not supports fine granted authz. I implement some additional code locally, but keycloak throws 500 server errors without any additional Information.

I or someone else have to look deeper into it. I can't not garantuee any solution soon since its really complex from REST API site. The documentation only provides a way through the WebUI. API calls needs to be reverse engineered.

jkroepke commented 2 years ago

Had some success, could you try if the #650 it its for you?

Take a note: if instead the uuid suffix, you can use $clientId suffix, too. See some examples in the PR.

dowhiletrue commented 2 years ago

Hi @jkroepke

At first glance, https://github.com/adorsys/keycloak-config-cli/pull/650 seems to work well using the $clientId notation.

Thank you very much!

jkroepke commented 2 years ago

Hi @dowhiletrue,

glad to hear that it covers you case. I have currently serious issues around remove such policies from Keycloak through keycloak-config-cli. Additionally, the new Quarkus distribution have a different behavior compared to the legacy (Wildfly) distribution. It will take some more time to merge the linked PR.