So i have to do scopes for auth and how i need to check if user had this scope
and how i can connect other func for scope
I just have to write scopes for routes or for each request
And can i do route for special scope in the frontend ?
Related
I want a custom scope called avm.read to be inclued in the scopes of the access token when requesting it.
I have an ApiResource called compApi and an ApiResourceScope called avm.read.
I've also added an ApiScope avm.read and added the avm.read to the ClientScopes.
When requesting the token, I'm also requesting the following scopes:
openid
profile
email
avm.read
After retrieving the token and deserializing it with jwt.io, I only see the openid in the scopes array:
"scope": [
"openid"
],
What do I have to do in addition to what I already did so that the avm.read custom scope is also included in the scope array of the token?
Thanks in advance
what I am trying to do:
I have an app that takes in login credentials: username and password for a user. I have a rest api that internally calls the keycloak REST API: /auth/realms/realmname/protocol/openid-connect/token
and gets the access token for this user.
Now I am building another REST API to access a resource where I want to do the following:
doSomething(accesstoken, data)
{
a) call keycloak API to validate access token and get roles.
b) if role == manager, process(data)
c) else: return error msg.
}
Now, how do I do (a): validating the access token and getting the roles associated with it.
I know we can do: auth/realms/realmname/protocol/openid-connect/userinfo
but that only gives the details about the user like name, email, etc. but does not display any roles.
Here's an example I got:
{
"name": "test user",
"sub": "e2bad34d-a1a9-4d70-ac84-bd3a3246023e",
"email_verified": false,
"preferred_username": "user",
"given_name": "test",
"family_name": "user"
}
As seen, it doesnt give the roles at all. How do I then tell what roles this access token has? Interestingly, when I search for this, many resources are suggesting the above userinfo endpoint. But this merely tells me taht the access token I provided is valid. Does not give roles for that.
In other words - it authenticates but does not authorize.
Please suggest.
Thanks,
Anand
In Keycloak admin Console, you can configure Mappers under your client. Add a builtin Mapper of type "User Realm Role", then open its configuration e.g. change Token Claim Name if you want.
Client roles can be configured similarly, but they are returned by default in the token under the name resource_access.${client_id}.roles
The the client side you can parse the token to find the roles. E.g. In an angular application and using the keycloak-angular adapter, you can have a the token as a json object by calling keycloak.getKeycloakInstance().tokenParsed.
In a spring boot application and using the Keycloak java api, you can find the roles under the field "otherClaim" in the following class
https://www.keycloak.org/docs-api/10.0/javadocs/org/keycloak/representations/AccessTokenResponse.html
In both representations you will find the roles under the "Token Claim Name" defined in the client mapper configuration
Additionally, if the full scope is not allowed then you need to add the relevant roles to the scope, so they can appear in the token.
After adding role in the roles section , need to move available roles into the Assigned Roles of the scope tab of the respective client section.
My goal is log in to Swagger API to get access to endpoints. With auth token in future.
I tryed to put Devise line in ApplicationController:
before_action :authenticate_user!
But when load http://localhost:3000/api-docs/index.html - system allows to access the API without authentication.
I tryed to uncomment in /config/initializers/rswag-ui.rb:
c.basic_auth_enabled = true
c.basic_auth_credentials 'username', 'password'
but it not this.
Also it did not find the right way to realize Bearer Authentication from official Swagger.io documentation. I do not know is it connected to Devise and do I need to use it.
Which way is good to log in to API via login and password of my Users?
Thank you.
With rswag-ui you should only need to uncomment those lines. No other authentication is needed (like devise).
# /config/initializers/rswag-ui.rb
c.basic_auth_enabled = true
c.basic_auth_credentials 'username', 'password'
I just did it in my project and it worked straight away, so thought I might as well answer.
If you are using devise, to protect swagger enpoints you can use authorize method in config/routes.rb
authenticate :user do
mount Rswag::Ui::Engine => '/api-docs'
mount Rswag::Api::Engine => '/api-docs'
end
Method doc
If your API endpoints are protected with devise cookie session, only making requests after a successfully sign in will be enough. But, if your API uses other authentication scheme (Ex. Token) you will need to specify a security scheme in spec/swagger_helper.rb.
Here you can find more details for this configuration.
Expanding on the answer from #mateusc
If you want to restrict access not only to Devise-registered users, but to a subset (say, only admins) of those users, you can do something like this in routes.rb
authenticate :user, lambda { |u| u.admin? } do
mount Rswag::Ui::Engine => '/api-docs'
mount Rswag::Api::Engine => '/api-docs'
end
Replace u.admin? with a test that's appropriate for your needs.
I am wanting to use Keycloak to authorise access for my API.
I have got the relevant scopes defined, and these are coming back in the access token as expected:
{
... claims ...
"scope": "openid profile user/Patient.write user/Patient.read",
... etc ...
}
but the server hosting the APIs expects scopes in an access token represented as an array, like this:
{
... claims ...
"scope": [
"openid",
"profile",
"user/Patient.read",
"user/Patient.write"
],
...etc...
}
I can't see anywhere in Keycloak where I could alter the behaviour to output scopes as an array?
I've looked at doing it using a custom token mapper script, but the scopes don't appear to be available in mapper scripts, so it doesn't look like I can re-map them that way. Is there any way of getting the scopes into this form in the token in Keycloak?
What is the canonical way to encode resource level permissions into a JWT access_token? Or in other words, how do you best encode access to other people's resources?
Is it something like this:
{
scopes: {
me: ['user', 'repo'], // My user
repo123: ['repo'], // Someone else's repo
org541: ['admin', 'repo'], // My org
org206: ['repo:read'] // Someone else's org
}
}
Or like this, with namespaced scope tags (in this case <resource>|<scope>:
{
scopes: ['me|user', 'me|repo', 'repo123|repo', 'org541|admin'... etc]
}
Or something else again?
This applies equally to "roles" or "memberships" or similar tags (and I realise I've mixed the examples above a bit) - the core question remains is how (best) do you distinguish these tags per resource in a single JWT access_token?
I don't know the exact use case you need to implement, but I would probably try to keep the scopes just for API operations. Such as "get a list of repositories". Then a client using the access token can list the repositories it can work with and the resource server verifies the access rights by the username or user groups.
If you wanted to limit the resources available to the client, you could have a scope that would grant access to just a subset (for example just the user's own repositories).
Having resources and their permissions encoded in scopes would make them hard to use (when composing an authentication request, the client would have know resource identifiers) and the permissions may change over the life of the access token.