Keycloak custom SPI REST Endpoint with authorization

Question

I'am trying to make custom SPI with custom REST endpoint, which should authenticate and authorise incoming requests by evaluating permissions on requested resources. With help of debugger I found out, that I should use class TokenEndpoint.java and call method permissionGrant() inside my REST-handler method, but when I try to create instance of TokenEndpoint, I've got error with REASTEASY and Keycloak crashes. Do you have any examples, how can I do this?

Answer 1

I would suggest to have a look at the following project: keycloak-avatar-minio-extension.

First you have to implement a RealmResourceProdiverFactor and a RealmResourceProdiver.

Second you need a resource that is returned when the getResource() in your RealmResourceProvider is triggered.

Your resource is a class in which you define your endpoint. To check the authorization you can create a method like this:

private AuthenticationManager.AuthResult resolveAuthentication(KeycloakSession session) {
    AppAuthManager appAuthManager = new AppAuthManager();
    RealmModel realm = session.getContext().getRealm();

    AuthenticationManager.AuthResult authResult = appAuthManager.authenticateIdentityCookie(session, realm);
    if (authResult != null) {
        return authResult;
    }

    return null;
}

This method is called in the constructor and sets the private final AuthenticationManager.AuthResult auth; variable inside your Resource.

Now inside your endpoint implementation you can simply check if auth is not null, or, if needed, do more sophisticated stuff like inspecting the user or the token which is available in your auth variable.