[FEATURE] Do not set "realm_access" as default for OAuth

[mmaeffert]

Is your feature request related to a problem? Please describe. I was setting up OAuth for submodel repository and it kept looking for roles inside the "realm_access" list. This should not be happening, this list is for keycloak specific stuff. I used the following line inside the applications.properties: spring.security.oauth2.resourceserver.jwt.claims.role-claim=resource_access.[my_client].roles

This should not be necessary.

Describe the solution you'd like I would wish for the application to look inside the resource_access by default.

[mdanish98]

Hi @mmaeffert ,

Thanks for raising this issue. We will change the default behavior to resource_access and not the realm_access. We are also planning to take the union of both the resource and realm roles. Will update you once this is available.

[mmaeffert]

Update: the above fix of setting the role-claim behavior does in fact not work. Do you have a workaround in the meantime? I really do not want to have an admin role in my realm roles

[mdanish98]

Hi @mmaeffert , We have added this feature with #486 PR. We will update here once this is merged.

[mmaeffert]

@mdanish98 Great, thanks. Will there be a release any time soon?

[mdanish98]

Hi @mmaeffert , the PR is merged, we will hopefully release a new SNAPSHOT version next week. Please feel free to use that image. Also, we are planning to release next milestone version beginning of November.

[mdanish98]

Hi @mmaeffert ,

A new SNAPSHOT version has been released with this change. Could you please check and confirm?

[aaronzi]

I will close this issue since the problem was solved and a new snapshot release was published. If you think the problem is not solved by this, please feel free to reopen this issue.

[mmaeffert]

Hi @aaronzi @mdanish98 Apologies for the late response. I pulled the image from 5 days ago, deployed it and the results are the same as before. I get denied and the logs still only show how they look into the realm_access. These are my roles:

  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization",
      "default-roles-platform"
    ]
  },
  "resource_access": {
    "AAS-submodel-repository-client-test": {
      "roles": [
        "admin"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },

Below you find the logs:

2024-10-21 13:31:05 2024-10-21T11:31:05.881Z DEBUG 1 --- [AAS Repository] [nio-8081-exec-3] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.eclipse.digitaltwin.basyx.submodelrepository.http.SubmodelRepositoryApiHTTPController#getAllSubmodels(Base64UrlEncodedIdentifier, String, Integer, Base64UrlEncodedCursor, String, String) 2024-10-21 13:31:05 2024-10-21T11:31:05.882Z INFO 1 --- [AAS Repository] [nio-8081-exec-3] o.e.d.b.a.r.SimpleRbacPermissionResolver : roles: _[offline_access, umaauthorization, default-roles-platform], action: READ, targetInfo: SubmodelTargetInformation [submodelIds=[], submodelElementIdShortPaths=[]] - matching-rule?: Optional.empty 2024-10-21 13:31:05 2024-10-21T11:31:05.882Z DEBUG 1 --- [AAS Repository] [nio-8081-exec-3] .m.m.a.ExceptionHandlerExceptionResolver : Using @ExceptionHandler org.eclipse.digitaltwin.basyx.http.BaSyxExceptionHandler#handleInsufficientPermissionException(InsufficientPermissionException, WebRequest) 2024-10-21 13:31:05 2024-10-21T11:31:05.883Z DEBUG 1 --- [AAS Repository] [nio-8081-exec-3] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Using 'application/octet-stream', given [/] and supported [/] 2024-10-21 13:31:05 2024-10-21T11:31:05.883Z DEBUG 1 --- [AAS Repository] [nio-8081-exec-3] .m.m.a.ExceptionHandlerExceptionResolver : Resolved [org.eclipse.digitaltwin.basyx.core.exceptions.InsufficientPermissionException: Insufficient Permission: The current subject does not have the required permissions for this operation.] 2024-10-21 13:31:05 2024-10-21T11:31:05.883Z DEBUG 1 --- [AAS Repository] [nio-8081-exec-3] o.s.web.servlet.DispatcherServlet : Completed 403 FORBIDDEN

Unfortunately I do not seem to have the right permission to reopen the issue

[mmaeffert]

@mdanish98 you are supposed to look for resource_access.<client_id>.roles and not resource_access.roles

[mdanish98]

Hi @mmaeffert , Thanks for pointing this out. This was missed somehow. I will update here, once we address this issue.

[mdanish98]

Hi @mmaeffert , The changes have been made with the above-referenced PR; we will update you once the components are released. We are targeting the OTS release this week.

[mdanish98]

Hi @mmaeffert ;

The new Snapshot version with this change is released today, feel free to check on the released version :)