Search code examples
fiwarefiware-orionfiware-wilmafiware-keyrock

Orion APIs authorization through Keycloak

After testing authentication in Orion with keycloak (Orion APIs authentication through Keycloak) with kong-pep-plugin, I'm interested in the authorization too; in particular, I want to give specific permissions (on path and verb) to users/groups like I used to do with AuthZForce.

Could you help me?

Thank you

Solution

  • sorry that I only see your request right now. This is very much tied to configuring Keycloak, but it is possible, yes. The kong-pep-plugin delegates all decisions to Keycloak's Authorization Serivces and just takes its decision. Thus, you should read the documentation on that: https://www.keycloak.org/docs/latest/authorization_services/index.html An example (declarative)configuration for allowing different groups to access different paths can be found in the integration-tests: https://github.com/FIWARE/kong-plugins-fiware/blob/main/it/src/test/k3s/keycloak.yaml#L518-L567 Another, better readable, example is our demo environment:
    https://github.com/FIWARE-Ops/fiware-gitops/blob/master/aws/fiware/keycloak/templates/realmConfigMap.yaml#L139-L203 This combination of resources and policies allows the group "consumer" to access the path "/keycloak/ngsi-ld/v1/", while the group "admin" can also access "/keycloak/". The authorization services allow for much more fine-grained and powerful configurations, so I really recommend the official documentation on it. Best

    As an addition for the GET/POST question:

    Thats something you can implement with the javascript policies feature from Keycloak(keycloak.org/docs/latest/authorization_services/…). The kong-plugin forwards the http method as "http.method" claim(see github.com/FIWARE/kong-plugins-fiware/blob/main/kong-pep-plugin/…) An example policy could granting access only for GET requests could look like:

    var context = $evaluation.getContext();
var attributes = context.getAttributes();
var method = attributes.getValue('http.method').asString(0); 
if (method === 'GET')
 {$evaluation.grant();

    Combining a resource policy with such a js-policy would give you the access-control you want.