Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Keycloak UMA flow internally #317

Closed
daniel-pimenta-DME opened this issue Aug 12, 2023 · 12 comments · Fixed by #333
Closed

Support Keycloak UMA flow internally #317

daniel-pimenta-DME opened this issue Aug 12, 2023 · 12 comments · Fixed by #333
Labels
enhancement New feature or request
Milestone
2.7.0

Comments

@daniel-pimenta-DME
Copy link

daniel-pimenta-DME commented Aug 12, 2023
edited
Loading

Title

Support Keycloak UMA flow internally

Summary

I noticed a Keycloak UMA section on documentation https://gogatekeeper.github.io/gatekeeper/userguide/#keycloak-authorization-uma, but is a bit limited from what i understood.
My request is for Gatekeeper to perform UMA flow internally (steps 1, 2, 3, 4 from https://gogatekeeper.github.io/gatekeeper/userguide/#keycloak-authorization-uma)

Why?

Would allow dynamic resource configuration and would leverage Keycloak UI to define resources and permissions.

How

Do steps 1, 2, 3, 4 internally when necessary.
Remove the forcing of --no-redirects since it's needed for sign-in authentication.

Acceptance criteria

Perform UMA flow without external code or requests being needed.
@p53
Copy link

p53 commented Aug 12, 2023

Thanks for creating issue! Yeah i was thinking about UMA with redirects but i didn't know if anybody is using it so haven't implemented it yet, but now i know that somebody is using it :), will look at it, i need to find out good examples/docs for proper implementation.

@p53 p53 added the enhancement New feature or request label Aug 12, 2023
@p53
Copy link

p53 commented Aug 12, 2023

in the meantime gogatekeeper has integration with OPA (open policy agent) by which you can scalably manage authorizations with policies

@daniel-pimenta-DME
Copy link
Author

Thank you :)
Some useful docs:
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions

@p53 p53 added this to the 2.7.0 milestone Sep 2, 2023
@daniel-pimenta-DME
Copy link
Author

Seems to already support UMA flow when forwarding is enabled
https://github.com/gogatekeeper/gatekeeper/blob/master/pkg/keycloak/proxy/forwarding.go#L113

What we need is the following:

  1. User accesses https://proxy/resource_url
  2. Proxy performs authentication if needed
  3. Proxy performs UMA flow on the resource_url, allowing access if no resource is defined
  4. Proxy redirects to https://upstream/resource_url if access is allowed, redirects to the user with 403 if forbidden

Does that logic make sense?
Let me know if there's anything I can help with

@p53
Copy link

p53 commented Sep 4, 2023

:) forwarding mode works a little bit differently compared to browser based scenario, we will need to set up cookies+think also about refreshing RPT token+right now RPT token is acquired for specific resource, what if you will already have access/refresh token but you will access different resource, you will need to get new RPT token, so it is not just steps you wrote, additionally i had to refactor a little bit code because i will need to add additional steps related to this UMA and it was already messy (original project code was quite messy...)

@p53 p53 linked a pull request Sep 6, 2023 that will close this issue
Add UMA with code flow #317 #333
Merged
2 tasks
@daniel-pimenta-DME
Copy link
Author

Yes true :D
What do you reckon is the best option to detect the need of a new RPT token when accessing a new resource?
That's the only issue i've noticed in your current PR
When i tried it, it seemed to use a uma_token cookie from a different resource, wrongfully returning 403

@p53
Copy link

p53 commented Sep 11, 2023

still working on it ;)

@p53
Copy link

p53 commented Sep 13, 2023
edited
Loading

@daniel-pimenta-DME UMA code flow should be now finished, i tried to make it more simple, less configuration, compared what i saw for keycloak adapter docu, but it has some limitations. 1. per URL it matches only one resource in keycloak (so you must not have several resources with same URI under same client), 2. you should always have one permission per resource and right now gatekeeper can pass only one scope "method:" by which you access resource, enabled with --enable-uma-method-scope, 3. doesn't do claims gathering (this seems to be optional according to spec, spec isn't very detailed). You can try and let me know how it works/i can also help you e.g. on discord chat (link in main README)

@p53 p53 closed this as completed in #333 Sep 13, 2023
p53 added a commit that referenced this issue Sep 13, 2023
@p53
Add UMA with code flow #317 (#333)
59cb2dc 
* Add UMA with code flow

* Fix lint

* Update

* Update

* Update

* Update

* Update

* Update

* Update
@p53 p53 reopened this Sep 13, 2023
@p53
Copy link

p53 commented Sep 13, 2023

created 2.7.0-rc2 release=image

@daniel-pimenta-DME
Copy link
Author

daniel-pimenta-DME commented Sep 19, 2023
edited
Loading

Thank you :)
I'll do some tests and let you know

  1. per URL it matches only one resource in keycloak (so you must not have several resources with same URI under same client)

What would happen with one resource for /admin/* and another for /admin/1, and then try to access admin/1
Would it match the first or second resource?

@p53
Copy link

p53 commented Sep 19, 2023

there is already 2.7.0 release/image, that would not work (it will be forbidden) because /admin/v1 path would match both resources, i understand that if you want to make exception this is easy way to do it but also could make things messy and error prone e.g. if i will have two matching resources which one should i choose?? probably some wise way would be more specific path, but then what about x-level nested resources, then evaluation time might be quite long+again error prone

@daniel-pimenta-DME
Copy link
Author

Works well, thank you :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Gatekeeper
Status: Done
Milestone
2.7.0
Development

Successfully merging a pull request may close this issue.

Add UMA with code flow #317 p53/louketo-proxy
2 participants
@p53 @daniel-pimenta-DME