Authorization by role on JWT

Hello,

I did an integration with Keycloak ( with Tyk CE) and its working fine but now i wanna do authorization by role.

My OpenId options on api is:

openid_options": {
  "providers": [
    {
      "issuer": "******************************",
        "client_ids": {
         "YXBwMQ==": "123456789"
         }
    }
 ],
 "segregate_by_client": false
}

Part of Token with roles:

"realm_access": {
  "roles": [
    "usuario"
  ]
},

Is it possible? How can i do?


Marcos Oleiro

anyone can help me with this?!

Hi @Marcos-Oleiro, we’re currently looking at this for you - we will get back to you as soon as we can!


Valmir

So, no news about it?

Hi @Marcos-Oleiro

I think this is what you are looking for.

https://tyk.io/docs/advanced-configuration/integrate/api-auth-mode/open-id-connect/#jwt-scope-to-policy-mapping-support

The thing is, you might need to change your keycloak settings to output the roles as space separated strings, rather than returning in an array format.

"realm_access": {
  "roles": [
    "usuario"
  ]
},

can you change this to?

"roles": "usuario otherrole anotherrole"
1 Like

Hello @ahmet,

Thanks for the answer! I’m trying this atm, is it possible to do this configuration on Keycloak? I’ll search it, i was trying using dot notation, like realm_access.roles.

  "jwt_scope_to_policy_mapping": {
      "adm": "987654321"
  },
  "jwt_scope_claim_name": "realm_access.roles",

I’ve had a play - and I managed to convert it to an Array

 "custom_roles": [
    "offline_access",
    "foo",
    "uma_authorization"
  ],

Using a user realm role mapper. But i can’t work out yet how to convert it from array to a space separated string.

I think we need it to be like scopes.

 "custom_roles": "offline_access foo uma_authorization"

Got it, i will look around and if i find something usefull i put it here, can you do the same if you find something? Thanks!

Of course

Also, by turning off multivalued switch, I can get:

"custom_roles": "[offline_access, foo, uma_authorization]",

If this fails for you, you can always take the claim, inject it into a header, then create a post-authentication plugin which validates the claims and you perform your authorization logic inside the plugin.

Here is an example integrating Open Policy Agent - and using that for Authorization: tyk-go-plugins/authorize_opa at master · asoorm/tyk-go-plugins · GitHub