shreemaan-abhishek
commented
6 months ago how would these claims be passed to apisix? I mean how would apisix know which claims to pass?
Open Java-Superman opened 6 months ago
shreemaan-abhishek
commented
6 months ago how would these claims be passed to apisix? I mean how would apisix know which claims to pass?
Java-Superman
commented
6 months ago @shreemaan-abhishek
how would these claims be passed to apisix? I mean how would apisix know which claims to pass?
Defining it within the attributes of the authz-keycloak plugin. I'm not a lua dev, but something like:
claims : { "uri" : "var.uri", "myparam" : "var.arg_myparam" }
where they would be evaluated at runtime. I'll have to defer to you guys on how the properties above could be evaluated at runtime (finite set of things/eval method).
shreemaan-abhishek
commented
6 months ago Defining it within the attributes of the authz-keycloak plugin. I'm not a lua dev, but something like:
claims : { "uri" : "var.uri", "myparam" : "var.arg_myparam" }where they would be evaluated at runtime. I'll have to defer to you guys on how the properties above could be evaluated at runtime (finite set of things/eval method).
hardcoding them doesn't make sense to me.
Java-Superman
commented
6 months ago @shreemaan-abhishek
hardcoding them doesn't make sense to me.
I agree, but I'm suggesting the attribute values within the claims object would need to be evaluated within the lua script during a request.
For the example (changing syntax to use {} to allow for static values):
"plugins": {
"authz-keycloak": {
"claims": {
"uri": "{request.uri}",
"my-param": "{request.paramater['myparam']}",
}
}
}During an http request
The claim_token passed in the lua script would be:
claim_token = base64( stringify( { "uri": "/foo?myparam=1234", "my-param": "1234" } ) )
Basically, anything in the {} should be parsed and replaced with the appropriate value. Below are a few examples that would be nice to support.
| Description | Example Configuration String |
|---|---|
| Static Value | "anything you want" |
| Remote Address | "{request.remoteAddr}" |
| Method | "{request.method}" |
| URI | "{request.uri}" |
| URL | "{request.url}" |
| Secure | "{request.secure}" |
| Request Parameter | "{request.parameter['a']}" |
| Header | "{request.header['b']}" |
| Cookie | "{request.cookie['c']}" |
| Replace Multiple Placeholders | "called {request.method} {request.url}" |
shreemaan-abhishek
commented
6 months ago ah okay, makes sense to me now. I'm a noob when it comes to oidc/keycloak stuff.
This looks like a good to have but a big feature nevertheless. Let's wait for the community to drop their feedback.
Add claim_token to authz request
Using the JS Policy in Keycloak, I need to know the parameters in the URL to decide if the user has permission. An example would be how to handle the path
/region/1234/customers, where the user must belong togroup.regionId=1234Claims can be added to the authz request like this example.
It would be nice if the plugin added the uri (possibly other things) to the claim_token.
claim_token = base64( { "uri" : $request_uri } )put in authz-keycloak.luaIn Java using Keycloak's ServletPolicyEnforcerFilter, an example configuration file for claims looks like this.
Use the request path for the permission
For authz-keycloak.lua, I believe the permission config parameter could be optional if the authz request used
permission=$urlandpermission_resource_matching_uri=truewhen permission is not supplied (see here). This would allow permissions to be controlled based on the path within keycloak and not have the additional step of adding all the permissions to APISIX.NOTE: Relates to https://github.com/apache/apisix/issues/7190