Keycloak user/group/role mapping

authcrunch / authcrunch.github.io

Documentation for Caddy v2 Auth Portal and Authorize Plugins.

77 stars 32 forks source link

Keycloak user/group/role mapping #17

Closed axi92 closed 2 years ago

axi92 commented 2 years ago

I don't understand the user-group-role mapping right now.

The only config where I can change role user mappings is the Caddyfile?

  "roles": [
    "authp/user"
  ],

I thought I can add them in keycloak and the roles are updated when I authenticate again. We have users with different roles (based on permissions) but I can't see them in the json after the login. The only mapping that is applied is:

                        transform user {
                                match origin keycloak
                                action add role authp/user
                        }

So everybody that login with keycloac gets the authp/user role. Did I miss a mapping from the keycloak roles?

If you need the keycloak instance again I still got it offline =)

greenpau commented 2 years ago

@axi92 , this is where I did not yet figure how to propagate user groups to the id_token sent by Keycloak. I will try finding time to work on it next weekend.

greenpau commented 2 years ago

@axi92 , however, you could use “user transforms” to grant roles too. You could match by realm and email to grant someone admin status. Then, match by realm only and grant authp/user.

axi92 commented 2 years ago

Ok I am on to something, I need some further testing to figure it out how the complete chain works. But I got the default mappings on the client. There are default mappers to do that.

grafik I got now more roles:

  "roles": [
    "create-realm",
    "offline_access",
    "admin",
    "uma_authorization",
    "authp/user"
  ],

axi92 commented 2 years ago

I run the caddy in debug mode and decode the id_token on jwt.io there is with the groups also a resource_access. Can you map that into the User Identity of the authp?

  "resource_access": {
    "caddy-security-portal": {
      "roles": [
        "industria_department-lead",
        "industria_project-lead"
      ]
    }
  },
  "email_verified": false,
  "name": ".....",
  "groups": [
    "create-realm",
    "offline_access",
    "admin",
    "uma_authorization"
  ],

  "resource_access": {
    "<client id>": {
      "roles": [
        "industria_department-lead",
        "industria_project-lead"
      ]
    }
  }

axi92 commented 2 years ago

I added 2 built in mappers

grafik If you need I can start the keycloak instance again so you can test on it.

greenpau commented 2 years ago

If you need I can start the keycloak instance again so you can test on it.

@axi92 good job on exploring the options!!! I could only work on this on weekends.

greenpau commented 2 years ago

@axi92 , I just recreated the client setup and ran into the following issue:

2022/05/06 23:05:48.695 WARN    security        Authentication failed   {"session_id": "4Vm8BUcBtIRVLgWMWJIs3ZFfVmQyqVsCIpyAY8mJxkwk6", "request_id": "39579b16-0e37-432e-8cc6-7f15460d166c", "error": "failed validating OAuth 2.0 access token: OAuth 2.0 id_token email claim not found"}

In short the access token sent by Keycloak does not have email field.

Were you able to follow my instructions and get a working portal (although without roles)?

greenpau commented 2 years ago

@axi92 , I am wondering whether I missed something in my documentation.

greenpau commented 2 years ago

I am wondering whether I missed something in my documentation.

@axi92 , solved it! 👍