jenskeiner commented on a change in pull request #3308:
URL: https://github.com/apache/apisix/pull/3308#discussion_r561734178
##########
File path: doc/plugins/authz-keycloak.md
##########
@@ -38,24 +38,37 @@ For more information on Keycloak, refer to [Keycloak
Authorization Docs](https:/
## Attributes
-| Name | Type | Requirement | Default
| Valid
| Description
|
-| ----------------------- | ------------- | ----------- |
--------------------------------------------- |
------------------------------------------------------------------ |
-----------------------------------------------------------------------------------------------------------------------------------------------------------
|
-| discovery | string | optional |
|
https://host.domain/auth/realms/foo/.well-known/uma2-configuration | URL to
discovery document for Keycloak Authorization Services.
|
-| token_endpoint | string | optional |
|
https://host.domain/auth/realms/foo/protocol/openid-connect/token | A
OAuth2-compliant Token Endpoint that supports the
`urn:ietf:params:oauth:grant-type:uma-ticket` grant type. Overrides value from
discovery, if given. |
-| grant_type | string | optional |
"urn:ietf:params:oauth:grant-type:uma-ticket" |
["urn:ietf:params:oauth:grant-type:uma-ticket"] |
|
-| audience | string | optional |
|
| The client identifier of the resource server to which the
client is seeking access. <br>This parameter is mandatory when parameter
permission is defined. |
-| permissions | array[string] | optional |
|
| A string representing a set of one or more resources and scopes
the client is seeking access. The format of the string must be:
`RESOURCE_ID#SCOPE_ID`. |
-| timeout | integer | optional | 3000
| [1000, ...]
| Timeout(ms) for the http connection with the Identity Server.
|
-| ssl_verify | boolean | optional | true
|
| Verify if SSL cert matches hostname.
|
-| policy_enforcement_mode | string | optional | "ENFORCING"
| ["ENFORCING", "PERMISSIVE"]
|
|
-
-### Endpoints
-
-Endpoints can optionally be discovered by providing a URL pointing to
Keycloak's discovery document for Authorization Services for the realm
-in the `discovery` attribute. The token endpoint URL will then be determined
from that document. Alternatively, the token endpoint can be
-specified explicitly via the `token_endpoint` attribute.
-
-One of `discovery` and `token_endpoint` has to be set. If both are given, the
value from `token_endpoint` is used.
+| Name | Type | Requirement | Default
| Valid
| Description
|
+| ------------------------------ | ------------- | ----------- |
--------------------------------------------- |
------------------------------------------------------------------ |
-----------------------------------------------------------------------------------------------------------------------------------------------------------
|
+| discovery | string | optional |
|
https://host.domain/auth/realms/foo/.well-known/uma2-configuration | URL to
discovery document for Keycloak Authorization Services.
|
+| token_endpoint | string | optional |
|
https://host.domain/auth/realms/foo/protocol/openid-connect/token | A
OAuth2-compliant Token Endpoint that supports the
`urn:ietf:params:oauth:grant-type:uma-ticket` grant type. Overrides value from
discovery, if given. |
+| resource_registration_endpoint | string | optional |
|
https://host.domain/auth/realms/foo/authz/protection/resource_set | A Keycloak
Protection API-compliant resource registration endpoint. Overrides value from
discovery, if given. |
+| grant_type | string | optional |
"urn:ietf:params:oauth:grant-type:uma-ticket" |
["urn:ietf:params:oauth:grant-type:uma-ticket"] |
|
+| client_id | string | required |
|
| The client identifier of the resource server to which
the client is seeking access. <br>This parameter is mandatory when parameter
permission is defined. |
Review comment:
Ok, so I'm now again requiring one of `client_id` or `audience`, the
latter for better backwards compatibility. Rationale: The plugin always uses
the token endpoint to get a decision from Keycloak on the requested
permissions. As per
https://www.keycloak.org/docs/4.8/authorization_services/#_service_obtaining_permissions
the `audience` parameter (what is either in `client_id` or `audience` for the
plugin) is required when the `permission` parameter is set (which the plugin
always does).
If `lazy_load_paths` is `true`, the the plugin also needs to obtain an
access token for itself from Keycloak. To that end, it most likely also needs
`client_secret` to be set, but that depends on how Keycloak is configured.
Hence, this is still optional.
Also added test cases to check if one of `client_id` or `audience` is
correctly required and schema verification fails if both are absent.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
