You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by "unreal-altran (via GitHub)" <gi...@apache.org> on 2023/04/06 12:36:55 UTC

[GitHub] [apisix] unreal-altran opened a new issue, #9256: authz-keycloak plugin can implement support to cakssical browser flow (bearer_only: false)

unreal-altran opened a new issue, #9256:
URL: https://github.com/apache/apisix/issues/9256

   ### Description
   
   From the plugin [documentation ](https://apisix.apache.org/docs/apisix/plugins/authz-keycloak/) it seems it is not possible to use the classic browser flow for NO-REST WEB applications.
   
   With ApiSix [openid-connect](https://apisix.apache.org/docs/apisix/plugins/openid-connect/) plugins it is possible to set the bearer_only: false property but this plugin does not enforce the security policies (PEP) like authz-keycloak plugin so currently it seems not possible with ApiSix + plugins to protect a WEB application by applying the security policies without having to touch the source code of the WEB application to protect.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] help request: authz-keycloak plugin to support auth code flow (bearer_only: false) [apisix]

Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.

shreemaan-abhishek commented on issue #9256:
URL: https://github.com/apache/apisix/issues/9256#issuecomment-1869926549

   ping @unreal-altran 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] help request: authz-keycloak plugin to support auth code flow (bearer_only: false) [apisix]

Posted by "kayx23 (via GitHub)" <gi...@apache.org>.

kayx23 commented on issue #9256:
URL: https://github.com/apache/apisix/issues/9256#issuecomment-1872404571

   > I would like to obtain the exact opposite behavior and manage a browser login guided by this specific plugin that also support the PEP policy.
   > 
   > It is not clear to me from the plugin documentation if and how it is possible to achieve this result.
   
   I just tried to implement RBAC in keycloak and use it with `openid-connect` plugin but it didn't work out. I suspect it is not supported currently and found a related conversation here: https://github.com/zmartzone/lua-resty-openidc/issues/222
   
   Here's how I set up keycloak:
   
   * create realm, client, and user
   * enable Authorization in the client
   * create a realm role called `admin`
   * create a resource and configure it with the URI I want to protect (same as the route URI) under Authorization
   * create a role-based policy that requires the previously created realm role `admin`
   * create a resource-based permission that maps the policy to the resource
   * map the realm role `admin` to the user
   
   So if user doesn't have the realm role `admin`, one could expect the access to be denied. In my testing, the request still went through even when the user doesn't have the realm role `admin`.
   
   I'm just documenting what I have attempted here for future reference.
   
   As an alternative, we could perhaps leverage scope-based access control with `required_scope`: https://github.com/apache/apisix/pull/10493


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] authz-keycloak plugin can implement support to classical browser flow (bearer_only: false) [apisix]

Posted by "kayx23 (via GitHub)" <gi...@apache.org>.

kayx23 commented on issue #9256:
URL: https://github.com/apache/apisix/issues/9256#issuecomment-1857637441

   > classic browser flow
   
   You mean authorization code flow?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] unreal-altran commented on issue #9256: authz-keycloak plugin can implement support to classical browser flow (bearer_only: false)

Posted by "unreal-altran (via GitHub)" <gi...@apache.org>.

unreal-altran commented on issue #9256:
URL: https://github.com/apache/apisix/issues/9256#issuecomment-1515798548

   Is support for bearer_only:false foreseen in the plugin roadmap?
   Any News ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] help request: authz-keycloak plugin to support auth code flow (bearer_only: false) [apisix]

Posted by "unreal-altran (via GitHub)" <gi...@apache.org>.

unreal-altran commented on issue #9256:
URL: https://github.com/apache/apisix/issues/9256#issuecomment-1870257304

   Yes with Bearer-only access type meaning that the application only allows bearer token requests. If this is turned on, this application cannot participate in browser logins.
   
   So if you select your client as bearer-only then in that case my keycloak adapter will not attempt to authenticate users, but only verify bearer tokens. That why keycloak documentation also mentioned bearer-only application will not allow the login from browser.
   
   I would like to obtain the exact opposite behavior and manage a browser login guided by this specific plugin that also support the PEP policy.
   
   It is not clear to me from the plugin documentation if and how it is possible to achieve this result.
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org