Keycloak implementation of SPI #5
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
inFocus7
changed the title
inFocus7
reviewed
Sep 5, 2024
inFocus7
changed the title
SirNexus
reviewed
Sep 6, 2024
SirNexus
reviewed
Sep 6, 2024
SirNexus
approved these changes
Sep 9, 2024
jmhbh
approved these changes
Sep 9, 2024
docs/configuring-gloo-gateway.md
Outdated
| { | ||
| "sub": "s2ai3kk4j6vfun6po9747bi1g", | ||
| "token_use": "access", | ||
| "scope": "access/catstronauts-api tracks-rest-api", |
| In Gloo Gateway, your RouteTable defines your API Product. Below is an example of such an API Product for the Tracks API: | ||
|
|
||
| ```yaml | ||
| apiVersion: networking.gloo.solo.io/v2 |
There was a problem hiding this comment.
We should probably add a TODO here to update this to use the GGv2 API instead of the GME API
| Finally, we can apply the ExtAuthPolicy to our ApiProduct route(s) that performs JWT validation using the Cognito’s JSON Web Key Set (JWKS), which contains the public keys used to verify the validity of the token, and applies to OPA policy to perform Authorization checks: | ||
|
|
||
| ```yaml | ||
| apiVersion: security.policy.gloo.solo.io/v2 |
There was a problem hiding this comment.
Same as above we should use route route options and the AuthConfig API instead of ExtauthPolicy
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: Due to updates being done in the schema, the Cognito implementation must be updated as well. Due to the scope of this issue and me (@inFocus7) going on PTO soon, it will likely not be updated as part of this PR.
Adds a second implementation of the SPI, this one for Keycloak.
Since Keycloak supports User Managed Access (UMA), this implementation represents API products as resources and authorisation to them is granted to clients via permissions. This allows a standardised approach to gaining access to these resources through UMA, which differs from the scope-based approach used by the Cognito implementation and therefore requires a different enforcement method (which is provided in the documentation).
It would still be possible to implement permissions via scopes if customers wished to, since they would own the ultimate implementation of the SPI, but the approach taken here shows an implementation aligned to UMA should that be preferred.
Tested with Keycloak 24.0.3.