search

p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps
Other
367 stars 65 forks source link

how do i map organization role to a keycloak regex-based policy #63

Closed mbuotidem closed 1 year ago

mbuotidem commented 1 year ago

Given the readme example below, what would be the correct dot notation to get say the admin role in a regex-based policy mapper : https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_regex?

  "organizations": {
    "5aeb9aeb-97a3-4deb-af9f-516615b59a2d" : {
      "name": "foo",
      "roles": [ "admin", "viewer" ]
    }
  }

image

mbuotidem commented 1 year ago

So that I'm not guilty of an XY problem, what I really want to achieve is use an organization role to to grant my users permissions on a resource via keycloak authorization services. I've trawled the issues and the docs to see how roles are mapped to client policies/permissions/resources but I didn't find a section that clarifies this. It's likely that my mental model of how this is supposed to work is all wrong.

xgp commented 1 year ago

Hi @mbuotidem . Thanks for the question, and the link to the "XY problem". I had never seen that, but now I want to put it in a bug/issue template. ;)

The short answer to your question is that we have not done much work with Keycloak authorization services, and we have generally steered customers away from its use, given its complexity and lack of documentation. However, I have used it before, and it is certainly possible to use the Regex Policy to detect the presence of a claim (or part of a claim), but I'm not a regex expert, so I won't be able to tell you what is the correct regex to use for nested JSON in the organization role claim.

As a side note, when I did work on a project using Keycloak authorization services a while ago, we found ourselves wishing for a JSON path policy type, as a lot of our policies related to content of JSON claims. If that is something you're encountering a lot, it is possible to build new policy types as extensions.

Sorry I couldn't be more helpful here.

mbuotidem commented 1 year ago

That's fair and I agree that the documentation for authorization services could use some improvements. Did you ever get around to open sourcing the example you mentioned in https://github.com/p2-inc/keycloak-orgs/issues/10#issuecomment-1226090344?

xgp commented 1 year ago

@mbuotidem The admin portal component will be open sourced, but for now there isn't a great open source example. If you have specific questions about how to use the API, post them in issues here.