sshniro commented on issue #3274: URL: https://github.com/apache/apisix/issues/3274#issuecomment-759518067
Hi @jenskeiner I agree with your points, and we can get some design decisions from the [official adapter](https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java) from Keycloak. >> The scope is determined by the HTTP method of the request (i.e. a GET request maps to scope GET). I would suggest using the `http-method-as-scope` [configuration option](https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_filter) to enforce this behavior, as some may enforce policies via custom scope names. The adapters also provide this option. >> Longer term, it may be better to load all resources from Keycloak once (maybe with periodic updates), and match the request URI to the resources in the plugin, e.g. with the help of the radix tree library already used for routes. This would avoid the requests that are needed just to determine the resource. Agreed, the `lazy-load-paths` configuration option can be used to develop this enhancement so it tallies with the official adapter configurations. >> The resource is determined by using Keycloak's resource registration endpoint which can return the resources that match a given URI. I may be mistaken, does Keycloak matches the URI and returns results, or do we have to obtain all the paths and resolve it in APISIX? >> Using the resource registration endpoint requires another request to Keycloak on top of the one to the token endpoint that returns the decision. Longer term, but maybe not in the first iteration, caching can be implemented to reduce the number of necessary requests. Agreed, we need a separate token for APISIX to orchestrate this flow. +1 for caching instead of straining the Keycloak for token per request. +1 for the proposed changes, and looking forward to your PR. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
