Closed mbuotidem closed 1 year ago
So that I'm not guilty of an XY problem, what I really want to achieve is use an organization role to to grant my users permissions on a resource via keycloak authorization services. I've trawled the issues and the docs to see how roles are mapped to client policies/permissions/resources but I didn't find a section that clarifies this. It's likely that my mental model of how this is supposed to work is all wrong.
Hi @mbuotidem . Thanks for the question, and the link to the "XY problem". I had never seen that, but now I want to put it in a bug/issue template. ;)
The short answer to your question is that we have not done much work with Keycloak authorization services, and we have generally steered customers away from its use, given its complexity and lack of documentation. However, I have used it before, and it is certainly possible to use the Regex Policy to detect the presence of a claim (or part of a claim), but I'm not a regex expert, so I won't be able to tell you what is the correct regex to use for nested JSON in the organization role claim.
As a side note, when I did work on a project using Keycloak authorization services a while ago, we found ourselves wishing for a JSON path policy type, as a lot of our policies related to content of JSON claims. If that is something you're encountering a lot, it is possible to build new policy types as extensions.
Sorry I couldn't be more helpful here.
That's fair and I agree that the documentation for authorization services could use some improvements. Did you ever get around to open sourcing the example you mentioned in https://github.com/p2-inc/keycloak-orgs/issues/10#issuecomment-1226090344?
@mbuotidem The admin portal component will be open sourced, but for now there isn't a great open source example. If you have specific questions about how to use the API, post them in issues here.
Given the readme example below, what would be the correct dot notation to get say the
admin
role in a regex-based policy mapper : https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_regex?