[GitHub] [apisix] colmbrady commented on issue #7190: Keycloak Authz should support Claim Information Point

Tue, 07 Jun 2022 14:57:30 -0700 


colmbrady commented on issue #7190:
URL: https://github.com/apache/apisix/issues/7190#issuecomment-1149210943

   Ive thought about ApiSix and UMA a little more and Im not 100% sure its a 
good idea to let ApiSix manage UMA tickets. But, I'll outline my thinking here, 
and lets see what you think.
   
   With UMA protocol, the "policy enforcers" job (ApiSix in my example) expects 
an RPT (Requesting Party Token) Bearer JWT to be sent by the client when 
accessing the Resource Server. 
   
   ApiSix could introspect the clients token to tell if it is an RPT token or 
not, and would need to check if it had the required permission to access the 
resource (**This might be a problem because how does ApiSix know what 
permissions are needed?? only resource server knows as thats where business 
logic is** configuration?). 
   
   If the client Bearer token is NOT an RPT, or does not have the appropriate 
permissions, **ApiSix could ask Keycloak** for a Permission ticket and return 
401 error, with ticket.
   
   `HTTP/1.1 401 Unauthorized
   WWW-Authenticate: UMA realm="${realm}",
       as_uri="https://${host}:${port}/realms/${realm}";,
       ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de"`
   
   If the client Bearer token IS an RPT, and has appropriate permissions, then 
the ApiSix can forward the request to the Resource Server.
   
   **Why cant the Resource Server do this?**
   Well - it could. But it means that every resource behind the Resource Server 
needs to understand how to generate a UMA 401 response. For our system, this is 
a lot of refactoring of our APIs.
   
   I wanted to centralise this behind ApiSix API Gateway so that I can enforce 
this once in my architecture, and not in every Resource Server... but ... from 
Keycloak Documentation:
   
   **_"Only resource servers are allowed to create those tokens."_**  - So - if 
ApiSix is a Policy Enforcer, it should NOT also be a Resource Server. It is 
wearing two hats!
   
   I now think that ApiSix probably cant do full UMA workflow, as its beyond 
the scope of a Policy Enforcer. (Or it needs to be a seperate plugin at least. 
Its a UMA plugin NOT a Policy Enforcer Authz plugin)
   
   However, I do think ApiSix can become a Policy Enforcement point, and 
support the CIP like we discussed above.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to