Uploaded image for project: 'Quarkus'
  1. Quarkus
  2. QUARKUS-810

Quarkus keycloak authorization usability improvements

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Done
    • Icon: Major Major
    • None
    • 1.11.5.CR4
    • team/eng
    • False
    • False
    • Undefined
    • ---

      Description

      I would like to talk about how to `quarkus-keycloak-authorization` extension handler redirections and path exclusions because I think that could be improved from a usability point of view.

       Scenario

      So, let's imagine that we have a Rest application that is going to be deployed on openshift/k8s. Typically these applications use to have at least the following non-application endpoints:

      - /metrics
 - /metrics/vendor
 - /metrics/application
 - /metrics/base
- /health
 - /health/live
 - /health/ready
 - /health/well
 - /health/group
- /openapi
- /swagger-ui

      Most of them must be public or at least be accessible by the cluster (readiness/liveness probe), Prometheus... so, it seems reasonable to have the following configuration:

       

      quarkus.http.root-path=/api
# authZ
quarkus.keycloak.policy-enforcer.enable=true
## Health
quarkus.keycloak.policy-enforcer.paths.health-redirection.path=/api/q/health
quarkus.keycloak.policy-enforcer.paths.health-redirection.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.health.path=/api/health/*
quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED
## Metrics
quarkus.keycloak.policy-enforcer.paths.metrics-redirection.path=/api/q/metrics
quarkus.keycloak.policy-enforcer.paths.metrics-redirection.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.metrics.path=/api/metrics/*
quarkus.keycloak.policy-enforcer.paths.metrics.enforcement-mode=DISABLED
## OpenAPI
quarkus.keycloak.policy-enforcer.paths.openapi-redirection.path=/api/q/openapi
quarkus.keycloak.policy-enforcer.paths.openapi-redirection.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.openapi.path=/api/openapi/*
quarkus.keycloak.policy-enforcer.paths.openapi.enforcement-mode=DISABLED
## Swagger-ui
quarkus.keycloak.policy-enforcer.paths.swagger-ui-redirection.path=/api/q/swagger-ui
quarkus.keycloak.policy-enforcer.paths.swagger-ui-redirection.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.swagger-ui.path=/api/swagger-ui/*
quarkus.keycloak.policy-enforcer.paths.swagger-ui.enforcement-mode=DISABLED
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test-realm
quarkus.oidc.client-id=test-application-client
quarkus.oidc.credentials.secret=test-application-client-secret
# tolerate 1 minute of clock skew between the Keycloak server and the application
quarkus.oidc.token.lifespan-grace=60

       

      These configurations are not taking into account the application endpoint. This is just for platform endpoints. This config could be slightly improved if I group all redirections ( `/q` ), into one rule:

       

      quarkus.http.root-path=/api
# authZ
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.health-redirection.path=/api/q/*
quarkus.keycloak.policy-enforcer.paths.health-redirection.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.health.path=/api/health/*
quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.metrics.path=/api/metrics/*
quarkus.keycloak.policy-enforcer.paths.metrics.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.openapi.path=/api/openapi/*
quarkus.keycloak.policy-enforcer.paths.openapi.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.swagger-ui.path=/api/swagger-ui/*
quarkus.keycloak.policy-enforcer.paths.swagger-ui.enforcement-mode=DISABLED
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test-realm
quarkus.oidc.client-id=test-application-client
quarkus.oidc.credentials.secret=test-application-client-secret
# tolerate 1 minute of clock skew between the Keycloak server and the application
quarkus.oidc.token.lifespan-grace=60

      Note: this approach makes public all `/api/q/*` endpoints, so your business application can't have this path.

      implementation ideas

       

      As a developer I would like to group paths into one single rules:

      Example:

      quarkus.http.root-path=/api
# authZ
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.disabled.paths=/api/q/*, /api/health/*, /api/metrics/*, /api/openapi/*, /api/swagger-ui/*
quarkus.keycloak.policy-enforcer.paths.disabled.enforcement-mode=DISABLED
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test-realm
quarkus.oidc.client-id=test-application-client
quarkus.oidc.credentials.secret=test-application-client-secret
# tolerate 1 minute of clock skew between the Keycloak server and the application
quarkus.oidc.token.lifespan-grace=60

      Also, I am not sure if Quarkus as a cloud-native framework that is, should handle by default all non-application redirections(and/or paths) and make them accessible from a Paas, as Openshift/k8s. I am not sure about that...

      GitHub Ref: https://github.com/quarkusio/quarkus/issues/14851

              Unassigned Unassigned
              rhn-support-pagonzal Pablo Gonzalez Granados (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: