Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an AccessProvider implementation for users of keycloak-restrict-client-auth #310

Open
xgp opened this issue Jan 27, 2025 · 1 comment
Open

Add an AccessProvider implementation for users of keycloak-restrict-client-auth #310

xgp opened this issue Jan 27, 2025 · 1 comment
Assignees
@rtufisi
Labels
customer Customer request enhancement New feature or request

Comments

@xgp
Copy link
Member

xgp commented Jan 27, 2025

description

Some customers use https://github.com/sventorben/keycloak-restrict-client-auth to restrict client authorization based on role or policy. They would like the ability to restrict based on organization membership or organization role.

This plugin has an SPI for adding access providers that we can implement. See:

See the plugin's example of restricting based on client roles:

We are not going to bundle the keycloak-restrict-client-auth library and the pom dependency should be optional.

We should implement this as an EnvironmentDependentProviderFactory that tries to load a class from the library in order to see if it should return true for isSupported.

2 implementations

organization membership

2 params (ProviderConfigProperty for getConfigMetadata)

  • organization - the name of the organization
  • isRegex - if the organization name is a regex

permitted if the user has an organization with getName that matches exactly (if isRegex is false) or matches the regex (if isRegex is false)

organization role

3 params (ProviderConfigProperty for getConfigMetadata)

  • organization - the name of the organization
  • isRegex - if the organization name is a regex
  • role - the name of the role

permitted if the user has an organization with getName that matches exactly (if isRegex is false) or matches the regex (if isRegex is false) AND the user has a role withing any of the matched organization that exactly matches the role getName.
@xgp xgp added enhancement New feature or request customer Customer request labels Jan 27, 2025
@xgp
Copy link
Member Author

xgp commented Jan 28, 2025

I just realized that the keycloak-restrict-client-auth author doesn't publish to maven central (same guy that wrote the home idp plugin and doesn't publish it).

2 options.

  1. Fast. Just do this in a separate repo, and use jitpack to load the optional dependency. Customer(s) can load a separate jar if they really need this.
  2. Slow. Create a separate repo that uses jitpack, has no other depends on this one library, and uses maven shade plugin to include it in a jar we publish to maven central under our own groupId. Might not be a bad option for both this and his home idp plugin. Then we can import those libraries from maven central

Using jitpack

        <repositories>
		<repository>
		    <id>jitpack.io</id>
		    <url>https://jitpack.io</url>
		</repository>
	</repositories>
...
	<dependency>
	    <groupId>com.github.sventorben</groupId>
	    <artifactId>keycloak-restrict-client-auth</artifactId>
	    <version>v26.0.0</version>
	</dependency>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rtufisi rtufisi

Labels
customer Customer request enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xgp @rtufisi