Closed eshepelyuk closed 4 years ago
@eshepelyuk i am looking for solution to restrict user at at API gateway level i am using Kong based on authorization scopes.
i am looking to for way restrict user like GitHub do, as in GitHub we have organization repo and each user has different access in an organisation repo (read/write) or i can add a specific user to the organisation with only one repository access.
i think Github manage this by forming URL
https://github.com/org-name/username/reponame and restricting user at API gateway level if no access there.
Is possible by using lua-resty-openidc
UMA ?
i am using keycloak with kong.
For me simple authorizations in authentication working based on scopes i am looking to take it on the next level.
Please suggest if you have any suggestions or ideas correct me if i am wrong.
@harsh4870 I am not using kong and this plugin anymore. sorry, no suggestions from my side.
@eshepelyuk Sorry, but may I ask what are you using now and why not using kong anymore ?
To all those coming this thread posting my experiment and articles details here might be helpful to someone :
Currently, the plugin supports authentification ( i.e. obtaining access token) and token validation (via instrospection endpoint). Upstream servers need to perform authorization ( check if token has access to partiuclar URL) by themselves.
But actually this can be achieved using (UMA compatible endpoints](https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions)
I.e. calling token endpoint with
urn:ietf:params:oauth:grant-type:uma-ticket
grant type kong can check permissions, and terminate or forward request.So, my question is there any plans to support authorization in this plugin ? Thus, the plugin can become the complete solution for authentification / autorization with OAuth2 / OIDC compatible services like keycloak or gluu.
Actually
lua-resty-openidc
already has everything in place to implemnt those calls.