Uploaded image for project: 'Quarkus'
  1. Quarkus
  2. QUARKUS-810

Quarkus keycloak authorization usability improvements

    XMLWordPrintable

Details

    • ---

    Description

      Description

      I would like to talk about how to `quarkus-keycloak-authorization` extension handler redirections and path exclusions because I think that could be improved from a usability point of view.

       Scenario

      So, let's imagine that we have a Rest application that is going to be deployed on openshift/k8s. Typically these applications use to have at least the following non-application endpoints:

      - /metrics
       - /metrics/vendor
       - /metrics/application
       - /metrics/base
      - /health
       - /health/live
       - /health/ready
       - /health/well
       - /health/group
      - /openapi
      - /swagger-ui

      Most of them must be public or at least be accessible by the cluster (readiness/liveness probe), Prometheus... so, it seems reasonable to have the following configuration:

       

      quarkus.http.root-path=/api
      # authZ
      quarkus.keycloak.policy-enforcer.enable=true
      ## Health
      quarkus.keycloak.policy-enforcer.paths.health-redirection.path=/api/q/health
      quarkus.keycloak.policy-enforcer.paths.health-redirection.enforcement-mode=DISABLED
      quarkus.keycloak.policy-enforcer.paths.health.path=/api/health/*
      quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED
      ## Metrics
      quarkus.keycloak.policy-enforcer.paths.metrics-redirection.path=/api/q/metrics
      quarkus.keycloak.policy-enforcer.paths.metrics-redirection.enforcement-mode=DISABLED
      quarkus.keycloak.policy-enforcer.paths.metrics.path=/api/metrics/*
      quarkus.keycloak.policy-enforcer.paths.metrics.enforcement-mode=DISABLED
      ## OpenAPI
      quarkus.keycloak.policy-enforcer.paths.openapi-redirection.path=/api/q/openapi
      quarkus.keycloak.policy-enforcer.paths.openapi-redirection.enforcement-mode=DISABLED
      quarkus.keycloak.policy-enforcer.paths.openapi.path=/api/openapi/*
      quarkus.keycloak.policy-enforcer.paths.openapi.enforcement-mode=DISABLED
      ## Swagger-ui
      quarkus.keycloak.policy-enforcer.paths.swagger-ui-redirection.path=/api/q/swagger-ui
      quarkus.keycloak.policy-enforcer.paths.swagger-ui-redirection.enforcement-mode=DISABLED
      quarkus.keycloak.policy-enforcer.paths.swagger-ui.path=/api/swagger-ui/*
      quarkus.keycloak.policy-enforcer.paths.swagger-ui.enforcement-mode=DISABLED
      quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test-realm
      quarkus.oidc.client-id=test-application-client
      quarkus.oidc.credentials.secret=test-application-client-secret
      # tolerate 1 minute of clock skew between the Keycloak server and the application
      quarkus.oidc.token.lifespan-grace=60
      

       

      These configurations are not taking into account the application endpoint. This is just for platform endpoints. This config could be slightly improved if I group all redirections ( `/q` ), into one rule:

       

      quarkus.http.root-path=/api
      # authZ
      quarkus.keycloak.policy-enforcer.enable=true
      quarkus.keycloak.policy-enforcer.paths.health-redirection.path=/api/q/*
      quarkus.keycloak.policy-enforcer.paths.health-redirection.enforcement-mode=DISABLED
      quarkus.keycloak.policy-enforcer.paths.health.path=/api/health/*
      quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED
      quarkus.keycloak.policy-enforcer.paths.metrics.path=/api/metrics/*
      quarkus.keycloak.policy-enforcer.paths.metrics.enforcement-mode=DISABLED
      quarkus.keycloak.policy-enforcer.paths.openapi.path=/api/openapi/*
      quarkus.keycloak.policy-enforcer.paths.openapi.enforcement-mode=DISABLED
      quarkus.keycloak.policy-enforcer.paths.swagger-ui.path=/api/swagger-ui/*
      quarkus.keycloak.policy-enforcer.paths.swagger-ui.enforcement-mode=DISABLED
      quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test-realm
      quarkus.oidc.client-id=test-application-client
      quarkus.oidc.credentials.secret=test-application-client-secret
      # tolerate 1 minute of clock skew between the Keycloak server and the application
      quarkus.oidc.token.lifespan-grace=60
      

      Note: this approach makes public all `/api/q/*` endpoints, so your business application can't have this path.

      implementation ideas

       

      As a developer I would like to group paths into one single rules:

      Example:

      quarkus.http.root-path=/api
      # authZ
      quarkus.keycloak.policy-enforcer.enable=true
      quarkus.keycloak.policy-enforcer.paths.disabled.paths=/api/q/*, /api/health/*, /api/metrics/*, /api/openapi/*, /api/swagger-ui/*
      quarkus.keycloak.policy-enforcer.paths.disabled.enforcement-mode=DISABLED
      quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test-realm
      quarkus.oidc.client-id=test-application-client
      quarkus.oidc.credentials.secret=test-application-client-secret
      # tolerate 1 minute of clock skew between the Keycloak server and the application
      quarkus.oidc.token.lifespan-grace=60
      

      Also, I am not sure if Quarkus as a cloud-native framework that is, should handle by default all non-application redirections(and/or paths) and make them accessible from a Paas, as Openshift/k8s. I am not sure about that...

      GitHub Ref: https://github.com/quarkusio/quarkus/issues/14851

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              rhn-support-pagonzal Pablo Gonzalez Granados
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: