Uploaded image for project: 'Quarkus'
  1. Quarkus
  2. QUARKUS-810

Quarkus keycloak authorization usability improvements

    XMLWordPrintable

Details

    • Feature
    • Resolution: Done
    • Major
    • None
    • 1.11.5.CR4
    • team/eng
    • Undefined
    • ---

    Description

      Description

      I would like to talk about how to `quarkus-keycloak-authorization` extension handler redirections and path exclusions because I think that could be improved from a usability point of view.

       Scenario

      So, let's imagine that we have a Rest application that is going to be deployed on openshift/k8s. Typically these applications use to have at least the following non-application endpoints:

      - /metrics
 - /metrics/vendor
 - /metrics/application
 - /metrics/base
- /health
 - /health/live
 - /health/ready
 - /health/well
 - /health/group
- /openapi
- /swagger-ui

      Most of them must be public or at least be accessible by the cluster (readiness/liveness probe), Prometheus... so, it seems reasonable to have the following configuration:

       

      quarkus.http.root-path=/api
# authZ
quarkus.keycloak.policy-enforcer.enable=true
## Health
quarkus.keycloak.policy-enforcer.paths.health-redirection.path=/api/q/health
quarkus.keycloak.policy-enforcer.paths.health-redirection.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.health.path=/api/health/*
quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED
## Metrics
quarkus.keycloak.policy-enforcer.paths.metrics-redirection.path=/api/q/metrics
quarkus.keycloak.policy-enforcer.paths.metrics-redirection.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.metrics.path=/api/metrics/*
quarkus.keycloak.policy-enforcer.paths.metrics.enforcement-mode=DISABLED
## OpenAPI
quarkus.keycloak.policy-enforcer.paths.openapi-redirection.path=/api/q/openapi
quarkus.keycloak.policy-enforcer.paths.openapi-redirection.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.openapi.path=/api/openapi/*
quarkus.keycloak.policy-enforcer.paths.openapi.enforcement-mode=DISABLED
## Swagger-ui
quarkus.keycloak.policy-enforcer.paths.swagger-ui-redirection.path=/api/q/swagger-ui
quarkus.keycloak.policy-enforcer.paths.swagger-ui-redirection.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.swagger-ui.path=/api/swagger-ui/*
quarkus.keycloak.policy-enforcer.paths.swagger-ui.enforcement-mode=DISABLED
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test-realm
quarkus.oidc.client-id=test-application-client
quarkus.oidc.credentials.secret=test-application-client-secret
# tolerate 1 minute of clock skew between the Keycloak server and the application
quarkus.oidc.token.lifespan-grace=60

       

      These configurations are not taking into account the application endpoint. This is just for platform endpoints. This config could be slightly improved if I group all redirections ( `/q` ), into one rule:

       

      quarkus.http.root-path=/api
# authZ
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.health-redirection.path=/api/q/*
quarkus.keycloak.policy-enforcer.paths.health-redirection.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.health.path=/api/health/*
quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.metrics.path=/api/metrics/*
quarkus.keycloak.policy-enforcer.paths.metrics.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.openapi.path=/api/openapi/*
quarkus.keycloak.policy-enforcer.paths.openapi.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.swagger-ui.path=/api/swagger-ui/*
quarkus.keycloak.policy-enforcer.paths.swagger-ui.enforcement-mode=DISABLED
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test-realm
quarkus.oidc.client-id=test-application-client
quarkus.oidc.credentials.secret=test-application-client-secret
# tolerate 1 minute of clock skew between the Keycloak server and the application
quarkus.oidc.token.lifespan-grace=60

      Note: this approach makes public all `/api/q/*` endpoints, so your business application can't have this path.

      implementation ideas

       

      As a developer I would like to group paths into one single rules:

      Example:

      quarkus.http.root-path=/api
# authZ
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.disabled.paths=/api/q/*, /api/health/*, /api/metrics/*, /api/openapi/*, /api/swagger-ui/*
quarkus.keycloak.policy-enforcer.paths.disabled.enforcement-mode=DISABLED
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test-realm
quarkus.oidc.client-id=test-application-client
quarkus.oidc.credentials.secret=test-application-client-secret
# tolerate 1 minute of clock skew between the Keycloak server and the application
quarkus.oidc.token.lifespan-grace=60

      Also, I am not sure if Quarkus as a cloud-native framework that is, should handle by default all non-application redirections(and/or paths) and make them accessible from a Paas, as Openshift/k8s. I am not sure about that...

      GitHub Ref: https://github.com/quarkusio/quarkus/issues/14851

      Attachments

        Issue Links

          is related to

          Task - Represents a small unit of work that is not end-user facing. QUARKUS-744 Testing - Non application endpoints moved to /q/

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              Unassigned Unassigned
              rhn-support-pagonzal Pablo Gonzalez Granados (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: