Hello,
I did an integration with Keycloak ( with Tyk CE) and its working fine but now i wanna do authorization by role.
My OpenId options on api is:
openid_options": {
"providers": [
{
"issuer": "******************************",
"client_ids": {
"YXBwMQ==": "123456789"
}
}
],
"segregate_by_client": false
}
Part of Token with roles:
"realm_access": {
"roles": [
"usuario"
]
},
Is it possible? How can i do?
Marcos Oleiro
1 Like
anyone can help me with this?!
Valmir
April 5, 2021, 5:51pm
3
Hi @Marcos-Oleiro , we’re currently looking at this for you - we will get back to you as soon as we can!
–
Valmir
ahmet
April 9, 2021, 5:53pm
5
Hi @Marcos-Oleiro
I think this is what you are looking for.
https://tyk.io/docs/advanced-configuration/integrate/api-auth-mode/open-id-connect/#jwt-scope-to-policy-mapping-support
The thing is, you might need to change your keycloak settings to output the roles as space separated strings, rather than returning in an array format.
"realm_access": {
"roles": [
"usuario"
]
},
can you change this to?
"roles": "usuario otherrole anotherrole"
1 Like
Hello @ahmet ,
Thanks for the answer! I’m trying this atm, is it possible to do this configuration on Keycloak? I’ll search it, i was trying using dot notation, like realm_access.roles.
"jwt_scope_to_policy_mapping": {
"adm": "987654321"
},
"jwt_scope_claim_name": "realm_access.roles",
ahmet
April 9, 2021, 6:15pm
7
I’ve had a play - and I managed to convert it to an Array
"custom_roles": [
"offline_access",
"foo",
"uma_authorization"
],
Using a user realm role mapper. But i can’t work out yet how to convert it from array to a space separated string.
I think we need it to be like scopes.
"custom_roles": "offline_access foo uma_authorization"
Got it, i will look around and if i find something usefull i put it here, can you do the same if you find something? Thanks!
ahmet
April 9, 2021, 6:21pm
9
Of course
Also, by turning off multivalued switch, I can get:
"custom_roles": "[offline_access, foo, uma_authorization]",
If this fails for you, you can always take the claim, inject it into a header, then create a post-authentication plugin which validates the claims and you perform your authorization logic inside the plugin.
Here is an example integrating Open Policy Agent - and using that for Authorization: tyk-go-plugins/authorize_opa at master · asoorm/tyk-go-plugins · GitHub