Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keycloak custom SPI REST Endpoint with authorization

I'am trying to make custom SPI with custom REST endpoint, which should authenticate and authorise incoming requests by evaluating permissions on requested resources. With help of debugger I found out, that I should use class TokenEndpoint.java and call method permissionGrant() inside my REST-handler method, but when I try to create instance of TokenEndpoint, I've got error with REASTEASY and Keycloak crashes. Do you have any examples, how can I do this?

like image 988
Vyacheslav Samsonov Avatar asked Feb 01 '19 15:02

Vyacheslav Samsonov


People also ask

How do you use an authentication Keycloak?

Configure Keycloak to authenticate your cbioportal instance. Log in to your Keycloak Identity Provider, e.g. http://localhost:8080/auth, as an admin user. ⚠️ when setting this up on something else than localhost (e.g. production), you will need to use/enable https on your Keycloak server.

Is Keycloak an authorization server?

Keycloak is obviously a fully-fledged authentication server, OIDC. However there are 2 things that make me wonder about Keycloak as an authorization server: Token exchange is only available as preview feature, but it is a key feature for an OAuth authz server: exchange an id token for an access token.


1 Answers

I would suggest to have a look at the following project: keycloak-avatar-minio-extension.

First you have to implement a RealmResourceProdiverFactor and a RealmResourceProdiver.

Second you need a resource that is returned when the getResource() in your RealmResourceProvider is triggered.

Your resource is a class in which you define your endpoint. To check the authorization you can create a method like this:

private AuthenticationManager.AuthResult resolveAuthentication(KeycloakSession session) {
    AppAuthManager appAuthManager = new AppAuthManager();
    RealmModel realm = session.getContext().getRealm();

    AuthenticationManager.AuthResult authResult = appAuthManager.authenticateIdentityCookie(session, realm);
    if (authResult != null) {
        return authResult;
    }

    return null;
}

This method is called in the constructor and sets the private final AuthenticationManager.AuthResult auth; variable inside your Resource.

Now inside your endpoint implementation you can simply check if auth is not null, or, if needed, do more sophisticated stuff like inspecting the user or the token which is available in your auth variable.

like image 108
Val Avatar answered Oct 04 '22 21:10

Val