Keycloak Policy enforcer supposed to work with Client Roles / Resource_access.{client-id}.roles?

[StephenOTT]

Continuation of #28965

Previous message from 28965:

Description

Based on some testing, (unless I have a config incorrect, but is difficult to tell give the complexities), the Policy Enforcement for Keycloak quarkus-keycloak-authorization works with Realm Roles, but is it also supposed to work with Client Roles that appear under the resource_access.{client-id}.roles path in the JWT?

I just get 403 responses when trying to use Resource access. I update the roles path as well to: quarkus.oidc.roles.role-claim-path=resource_access/backend-service/roles but this did not seem to work.

Is there any example of this usage?

What i have found is required to make PEP work with regular roles is something like:

quarkus.oidc.client-id=backend-service
quarkus.oidc.credentials.secret=secret
quarkus.oidc.tls.verification=none
quarkus.oidc.token.issuer=any

quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.lazy-load-paths=false
quarkus.keycloak.policy-enforcer.paths.1.path=/account
quarkus.keycloak.policy-enforcer.http-method-as-scope=true

and authorization config:

{
    "allowRemoteResourceManagement": true,
    "policyEnforcementMode": "ENFORCING",
    "resources": [
      {
        "name": "Account",
        "ownerManagedAccess": false,
        "attributes": {},
        "_id": "4f2bde8d-41a6-4e46-8cbf-2840ed1923fd",
        "uris": [
          "/account"
        ],
        "scopes": [
          {
            "name": "GET"
          }
        ],
        "icon_uri": ""
      }
    ],
    "policies": [
      {
        "id": "0af1f193-0d4a-4352-b248-b149b6266324",
        "name": "has Account Manager",
        "description": "",
        "type": "role",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "config": {
            "roles": "[{\"id\":\"AccountManager\",\"required\":true},{\"id\":\"AccountManager\",\"required\":false}]"
        }
      },
      {
        "id": "1a53d29d-00c7-46f8-9384-c50b3eff60ed",
        "name": "Account Permission",
        "description": "",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "config": {
          "resources": "[\"Account\"]",
          "applyPolicies": "[\"has Account Manager\"]"
        }
      }
    ],
    "scopes": [
      {
        "id": "6759f487-be0e-4e2f-8560-38b5b3b4ae32",
        "name": "GET",
        "iconUri": "",
        "displayName": ""
      }
    ],
    "decisionStrategy": "UNANIMOUS"
  }

I am using quarkus-hibernate-reactive-rest-data-panache to generate the endpoints

Assuming that you want to centralize control of endpoints using Keycloak, Is quarks key cloak authorization setup /tested against using resource_access roles? From my testing above, it did not seem to work, but did work for roles that were Realm Roles.

[quarkus-bot[bot]]

/cc @pedroigor, @sberyozkin

[sberyozkin]

Thanks @StephenOTT for opening the discussion here, @pedroigor Can you clarify please ?

[sberyozkin]

@StephenOTT, once thing I can definitely confirm is this one:

Is quarks key cloak authorization setup /tested against using resource_access roles?

quarkus-keycloak-authorization does not make any authorization decisions locally in its code, Keycloak does.
Can you clarify something please,

From my testing above, it did not seem to work, but did work for roles that were Realm Roles.

Do you have @RolesAllowed set in your endpoint class or were these roles recognized by Keycloak authorization policies above ?

Thanks

[StephenOTT]

@sberyozkin i had no roles allowed annotation.

[pedroigor]

@StephenOTT You can use client roles in role-based policies [1]. Or am I missing something?

[1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_rbac