Allow Regex for `bearerExcludedUrls`

mauriciovigolo / keycloak-angular

Easy Keycloak setup for Angular applications.

MIT License

732 stars 280 forks source link

Allow Regex for `bearerExcludedUrls` #355

Open c00 opened 3 years ago

c00 commented 3 years ago

I would like to be able to input a regex in the bearer excluded urls property. I can see that in the code it's turned into a regex with new Regexp(excludedUrl, 'i') anyway, so the only stopping me is the typescript definition.

Bug Report or Feature Request (mark with an `x`)

- [ ] bug report -> please search for issues before submitting
- [x] feature request

Versions.

Angular12, Keycloak angular 8.3.0

Repro steps.

Try this setup:

return this.keycloak.init({
      config: {
        ...
      },
      initOptions: {
        ...
      },
      bearerExcludedUrls: [
        'some-domain.com', //Currently allowed
        /https:\/\/([\w\d-]+)\.some-other-domain\.com/, //Currently not allowed
      ],

The log given by the failure.

Typescript complains that regex is not assignable to string.

Desired functionality.

For the typescript definition to be adjusted to allow regexes here.

jonkoops commented 3 years ago

This sounds like a nice feature that I would like to see as well. I am currently swamped with other work so I cannot justify picking this up, but if someone felt like implementing it I would be more than willing to review the work.

Waterstraal commented 2 years ago

Please note that there's also a ticket that should change the behavior to an allowList: #121

KhizerRehan commented 4 months ago

I have a use case where I need to some direct API integration with some 3rd party but the problem is I see we have enabled KeycloakInterceptor globally to attach bearer token. Now if I want to attach custom "bearer" token some from other site just an adhoc requirement I can see in network request that "Keyclaok" overrriding custom bearer token and attaching with gloabally handled toekn.

Luckily, I found bearerExcludedUrls property but I just want to know since regex is not supported but I have multiple endpoints e.g

some-domain.com/getScoreBy/{id}
some-domain.com/getDetails
some-domain.com/someXYZ endpoint

how to handle this thing does I understand the naive approach could be add all endpoints but that works that doesn't need dynamic result e.g by ID do we have some custom logic

e.g like this "some-domain.com/*" what ever endpoint that starts with should Ignore Bearer Token?

Your response would be appreciated. thx cc: @Waterstraal @c00

c00 commented 4 months ago

Issues are generally not meant for support requests. It's not nice to the open-source maintainers. (I am not a maintainer of this project.)

However, if you look here, you can see how the excluded urls are implemented.

And I can tell you from my own projects, just using a partial url does seem to work. For example:

bearerExcludedUrls: [
    '.stroopwafels.com/',
]

Would exclude all urls that have stroopwafels.com in them. So that would also cover foo.stroopwafels.com and bar.stroopwafels.com/foo/bar/meuk.pdf

I would advice to just run some tests locally. Doing some gets from your HttpService will get you the answer you're looking for.