You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/06/03 04:14:00 UTC

[GitHub] [apisix] colmbrady opened a new issue, #7190: feat: As a user, I want to ..., so that ...

colmbrady opened a new issue, #7190:
URL: https://github.com/apache/apisix/issues/7190

   ### Description
   
   I am evaluating the Keycloak Authz plugin so that I can enforce Authorisation using Keycloaks Authorisation Engine.
   
   I am using ABAC policies in Keycloak to enforce authorisation using Javascript (https://www.keycloak.org/docs/latest/authorization_services/#_policy_js).
   
   I need to enforce (in my javascript) that the HTTP Request URI received by ApiSix matches some information I have in my Claims. It seems that ApiSix has to pass the Request URI to Keycloak as a claim.
   
   Keycloak supports this via Claim Information Point concept. 
   
   https://www.keycloak.org/docs/latest/authorization_services/#_enforcer_claim_information_point
   
   Do you think this would be a reasonable feature to add to the plugin?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] github-actions[bot] commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1573479376

   This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1146723425

   @colmbrady 
   PR is welcome!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] colmbrady commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by GitBox <gi...@apache.org>.
colmbrady commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1148009148

   I would also be curious if ApiSix is suitable to enforce UMA authorisation also.
   
   https://www.keycloak.org/docs/latest/authorization_services/#_service_uma_authorization_process
   
   Would ApiSix be able to request a Ticket from Keycloak if a Resource Server returned a 403? Our Resource Server does not know how to get a ticket from Keycloak... but ApiSix could do it.
   
   Use-case here is to make a legacy Resource Server look like a UMA Resource Server without having to enhance legacy server.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1146529892

   cc @starsz 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] colmbrady commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by GitBox <gi...@apache.org>.
colmbrady commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1158168951

   Actually, thats what the Keycloak Java Adapter implementation does, so likely a possible approach.
   
   https://github.com/keycloak/keycloak/blob/bfce612641a70e106b20b136431f0e4046b5c37f/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java#L184
   
   When a 403 happens, and if the adapter is configured to respect user-management-access, then it requests a ticket for the client, and returns it - instead of just returning a 403.
   
   I guess, this adapter is normally deployed on the resource server, as a gateway proxy. So its similar to the function ApiSix might serve as a Policy Enforcement Point
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] github-actions[bot] commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1594438297

   This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] starsz commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by GitBox <gi...@apache.org>.
starsz commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1146810971

   Hi @colmbrady.
   Can you introduce the situation that supports `Claim Information Point`?
   I am a little confused.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] starsz commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by GitBox <gi...@apache.org>.
starsz commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1154028438

   > Here is the information about creating a UMA ticket, https://www.keycloak.org/docs/latest/authorization_services/#creating-permission-ticket
   > 
   > How would ApiSix know what resource the client is trying to access? This is why I think it is hard for ApiSix to create the ticket.
   
   Maybe we can fetch the resource in keycloak via HTTP API.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] colmbrady commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by GitBox <gi...@apache.org>.
colmbrady commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1148005383

   Hi @starsz 
   
   The aim is to use ApiSix as a Policy Enforcement Point (PEP) so that we can enforce authorisation. https://www.keycloak.org/docs/latest/authorization_services/#_enforcer_overview
   
   Our use-case for CIP is to confirm that information in the Request URI matches claims in the Keycloak JWT. We can not do this currently because Api Six is unable to pass Request URI to Keycloak as a claim.
   
   Here is a similar example to our usecase from the Keycloak Quickstarts:
   
   1. Policy Enforcer is configured to pass through the Request URI as a claim to Keycloak when evaluating a Policy. (We want ApiSix to support this capability)
   
   https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-rest-employee/src/main/resources/application.properties#L13
   
   2. Keycloak will make Request URI available in "Context" so we can use it to evaluate a policy.
   
   https://github.com/keycloak/keycloak-quickstarts/blob/latest/authz-js-policies/src/main/resources/match-user-from-uri.js
   
   Does this use case make sense now?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] colmbrady commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by GitBox <gi...@apache.org>.
colmbrady commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1149210943

   Ive thought about ApiSix and UMA a little more and Im not 100% sure its a good idea to let ApiSix manage UMA tickets. But, I'll outline my thinking here, and lets see what you think.
   
   With UMA protocol, the "policy enforcers" job (ApiSix in my example) expects an RPT (Requesting Party Token) Bearer JWT to be sent by the client when accessing the Resource Server. 
   
   ApiSix could introspect the clients token to tell if it is an RPT token or not, and would need to check if it had the required permission to access the resource (**This might be a problem because how does ApiSix know what permissions are needed?? only resource server knows as thats where business logic is** configuration?). 
   
   If the client Bearer token is NOT an RPT, or does not have the appropriate permissions, **ApiSix could ask Keycloak** for a Permission ticket and return 401 error, with ticket.
   
   `HTTP/1.1 401 Unauthorized
   WWW-Authenticate: UMA realm="${realm}",
       as_uri="https://${host}:${port}/realms/${realm}",
       ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de"`
   
   If the client Bearer token IS an RPT, and has appropriate permissions, then the ApiSix can forward the request to the Resource Server.
   
   **Why cant the Resource Server do this?**
   Well - it could. But it means that every resource behind the Resource Server needs to understand how to generate a UMA 401 response. For our system, this is a lot of refactoring of our APIs.
   
   I wanted to centralise this behind ApiSix API Gateway so that I can enforce this once in my architecture, and not in every Resource Server... but ... from Keycloak Documentation:
   
   **_"Only resource servers are allowed to create those tokens."_**  - So - if ApiSix is a Policy Enforcer, it should NOT also be a Resource Server. It is wearing two hats!
   
   I now think that ApiSix probably cant do full UMA workflow, as its beyond the scope of a Policy Enforcer. (Or it needs to be a seperate plugin at least. Its a UMA plugin NOT a Policy Enforcer Authz plugin)
   
   However, I do think ApiSix can become a Policy Enforcement point, and support the CIP like we discussed above.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] github-actions[bot] closed issue #7190: Keycloak Authz should support Claim Information Point

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] closed issue #7190: Keycloak Authz should support Claim Information Point
URL: https://github.com/apache/apisix/issues/7190


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] colmbrady commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by GitBox <gi...@apache.org>.
colmbrady commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1149283956

   Here is the information about creating a UMA ticket, https://www.keycloak.org/docs/latest/authorization_services/#creating-permission-ticket
   
   How would ApiSix know what resource the client is trying to access? This is why I think it is hard for ApiSix to create the ticket.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] starsz commented on issue #7190: Keycloak Authz should support Claim Information Point

Posted by GitBox <gi...@apache.org>.
starsz commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1148815569

   > https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-rest-employee/src/main/resources/application.properties#L13
   
   Oh, thank you for explaining this patiently. Now I think it's an excellent idea to support Claim Information Point.
   
    > Would ApiSix be able to request a Ticket from Keycloak if a Resource Server returned a 403
   Another question, why should APISIX request a Ticket if a Resource Server returned a 403 ?
   IMO, I think client should send another request to get a ticket from APISIX.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org