Im implementing the authorization on my REST API using keycloak with scopes, permissions and resources.
What im struggling is how to map a single resources, a REST endpoint, to multiple scopes based on HTTP method.
Like a endpoint (resource) called /api/v1/invoices would have GET, POST, DELETE and each require different permissions/scope but is the same resource.
How to match from my application the GET on resource to a specific scope? Im using Spring with the following configuration:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-policy-enforcer</artifactId>
<version>25.0.5</version>
</dependency>
My policy-enforcer json file:
{
"realm": "partners",
"auth-server-url": "http://localhost:8180",
"resource": "partner",
"credentials": {
"secret": ""
}
}
And my security configuration:
@EnableWebSecurity
@Configuration
@RequiredArgsConstructor
public class WebSecurityConfiguration {
@Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
private String jwkSetUri;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(
"/v1/public/**",
"/v1/authentication/**",
"/actuator/openapi",
"/v1/",
"/v1",
"/").permitAll()
.anyRequest().authenticated()
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
.addFilterAfter(createPolicyEnforcerFilter(), BearerTokenAuthenticationFilter.class);
return http.build();
}
private ServletPolicyEnforcerFilter createPolicyEnforcerFilter() {
PolicyEnforcerConfig config;
try {
config = JsonSerialization.readValue(getClass().getResourceAsStream("/policy-enforcer.json"), PolicyEnforcerConfig.class);
} catch (IOException e) {
throw new RuntimeException(e);
}
return new ServletPolicyEnforcerFilter(new ConfigurationResolver() {
@Override
public PolicyEnforcerConfig resolve(HttpRequest request) {
return config;
}
});
}
@Bean
JwtDecoder jwtDecoder() {
return NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri).build();
}
}