You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2022/09/10 19:27:00 UTC

[jira] [Commented] (SOLR-16230) JWT-Auth: Support for Keycloak-Style nested roles

    [ https://issues.apache.org/jira/browse/SOLR-16230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17602758#comment-17602758 ] 

Jan Høydahl commented on SOLR-16230:
------------------------------------

I believe the PR is ready now. Thanks Marco for the contribution.

Appreciate a final review, especially the RefGuide wording. I plan to commit to main and 9x on Tuesday.

New refguide-wording for 'rolesClaim' is (bold text added): 
{quote}What claim id to pull user roles from. {*}Both top-level claim and nested claim is supported. Use 'someClaim.child' syntax to address a 'claim' child nested within the 'someClaim' object{*}. The claim must then either contain a space separated list of roles or a JSON array. The roles can then be used to define fine-grained access in an Authorization plugin
{quote}

> JWT-Auth: Support for Keycloak-Style nested roles
> -------------------------------------------------
>
>                 Key: SOLR-16230
>                 URL: https://issues.apache.org/jira/browse/SOLR-16230
>             Project: Solr
>          Issue Type: New Feature
>          Components: Authentication, Authorization
>    Affects Versions: 8.11.1
>         Environment: Solr 8.11 with Keycloak 16.1.1
>            Reporter: Marco
>            Assignee: Jan Høydahl
>            Priority: Major
>         Attachments: image-2022-06-07-15-05-08-010.png, image-2022-06-08-09-28-22-021.png
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> The _rolesClaim_ for a JWT Token, as documented in [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,] does not support "nested roles".
> That is, consider the following claim, as returned by [keycloak|[https://www.keycloak.org/]] if the user has the role _user_ for the client {_}solr{_}:
> {{"resource_access": {}}
> {{    "solr": {}}
> {{      "roles": [}}
> {{        "user"}}
> {{      ]}}
> {{    },}}
> {{    "account": {}}
> {{      "roles": [}}
> {{        "manage-account",}}
> {{        "manage-account-links",}}
> {{        "view-profile"}}
> {{      ]}}
>    }
>  
> Here a nested roles claim would have to apply to match. Something like _rolesClaim="resource_access.solr.roles"_
> This is currently not supported. I am working on a Pull Request.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org