Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clients roles #366

Closed
hillout opened this issue Oct 30, 2023 · 11 comments · Fixed by #367
Closed

Clients roles #366

hillout opened this issue Oct 30, 2023 · 11 comments · Fixed by #367

Comments

@hillout
Copy link

hillout commented Oct 30, 2023

Hi, here are some issues which I find noticeable.

Unable to use clients roles for authorization

Now configuring roles by --resources="uri=/*|roles=services" gatekeeper parses data from token which includes Realm roles in Keycloak only, example:

part of token which contains the realm role:

  "realm_access": {
    "roles": [
      "services"
    ]
  }

And it works, meaning that user is being authorized based on role in the example.

However, if I assign a client's role, it doesn't work. And in this case token contains this part of role in this form:

  "resource_access": {
    "app-1": {
      "roles": [
        "services"
      ]
    }
  }

Authorization doesn't work. I get error 403 Access to domain.org was denied. But at the same time I can see in Keycloak an active user session in that client (app-1). But I suppose it's the correct behavior.

the log output says:

msg=access denied, invalid roles headers

I also tried to use a Client role mapper, where I can define myself token claim for the role, in this case it doesn't work either. Here is the mapper, and how it looks in token:

Screenshot from 2023-10-30 11-38-02

Token:

  "roles": [
    "services"

Options

Would be great if there was an option to configure using this roles for example by this keys:

  1. --resources="uri=/*|realm-roles=services" - for realm roles
  2. --resources="uri=/*|client-roles=services" - for client roles
  3. --resources="uri=/*|custom-roles=services" - for custom roles added by client's roles mapper, but in this case it's nessesary to add a predefined custom claim for the role like - custom-role-name=roles.

I think that most people handle all cases using only first two options.
@p53
Copy link

p53 commented Oct 30, 2023

hi, thanks for creating issue! Yup i think it is valid use case, i think problem why it wasn't implemented is that you don't know ahead of time what will be the key for roles, i will think about solutions for this problem

@p53 p53 added the enhancement New feature or request label Oct 30, 2023
@hillout
Copy link
Author

hillout commented Oct 30, 2023

@p53 thanks!

@p53
Copy link

p53 commented Nov 1, 2023

@hillout @RadikSeyfullin checked now code + documentation, your use case is actually there supported, as you can see in example in docs in several places there is:

  roles:
  - client:test1
  - client:test2

so it gathers realm roles + client roles from token and matches against these

https://gogatekeeper.github.io/gatekeeper/userguide/#example-of-usage-and-configuration-with-keycloak

it does not work for you? I can make docu more explicit about roles

@p53 p53 removed the enhancement New feature or request label Nov 1, 2023
@RadikSeyfullin
Copy link

@p53 thanks. Its work for me now. I didn't understand that when I was reading the documentation(

@p53
Copy link

p53 commented Nov 2, 2023

will update docs to be more helpful

@hillout
Copy link
Author

hillout commented Nov 2, 2023

@RadikSeyfullin hi, it doesn't work for me now, maybe I configure it wrong, here is what I've tried:

      - "--enable-default-deny=false"
      - "--resources=uri=/*|roles=app-1:test1"

And:

      - "--resources=uri=/*|roles=app-1:test1"

@p53
Copy link

p53 commented Nov 2, 2023

@hillout did you setup client role, not custom claim right?

@hillout
Copy link
Author

hillout commented Nov 2, 2023

@RadikSeyfullin @p53 my mistake, it's working with -

"--resources=uri=/*|roles=app-1:test1"
Although you need to specify the flag:
- "--enable-default-deny=false"

Otherwise you'll get the error, cuz default is true:
[error] you've enabled default deny and at the same time defined own rules for /*.

Also doesn't work without specifying the uri=/*, so you can't put like this "--resources=roles=app-1:test1"

Would be handful if you could specify the roles as a standalone flag:
realm-role, client-role. OR it can work as it is now, cuz it gives more flexibility upon the /path rights to access but again - docs :)

Document should definitely be updated, can contribute.

@p53
Copy link

p53 commented Nov 2, 2023
edited
Loading

probably this in docu will need update, i will check code to confirm:

resources:
- uri: /admin/test
  # the methods on this URL that should be protected, if missing, we assuming all

that error was added because some users were trying to use both at once, hoping that those rules from default-deny+resources will combine, which is not the case, default-deny is just convenient default

@p53 p53 linked a pull request Nov 2, 2023 that will close this issue
Add section for roles to docu #367
Merged
2 tasks
@p53
Copy link

p53 commented Nov 2, 2023

@hillout if i correctly understand your third case, this is also supported by https://gogatekeeper.github.io/gatekeeper/userguide/#claim-matching (see last example in section)

@p53 p53 closed this as completed in #367 Nov 2, 2023
@hillout
Copy link
Author

hillout commented Nov 3, 2023

@p53 hi, confirm, all is working, Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Gatekeeper
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add section for roles to docu gogatekeeper/gatekeeper
3 participants
@p53 @hillout @RadikSeyfullin