It’s all working! I still need to try out the “rolesClaim” below.
If you want to see what I did, check out the PR https://github.com/querqy/chorus/pull/63 <https://github.com/querqy/chorus/pull/63> Thanks Jan and Tim for the help! Eric > On Nov 3, 2021, at 3:43 PM, Jan Høydahl <jan....@cominvent.com> wrote: > > Try to add "rolesClaim" to JWTAuthPlugin to tell it which JWT claim to use a > role. > E.g. if you pick the claim "roles", then your user would have the > roles=[profile, email]. So try to map the role "email" to the "all" > permission, and your requests should be allowed. > > Jan > >> 3. nov. 2021 kl. 13:26 skrev Eric Pugh <ep...@opensourceconnections.com>: >> >> Has anyone gone through integrating Solr with Keycloak? I’m trying to >> figure out how to map the Keycloak response back to what Solr needs to >> figure out the user. >> >> Here is my security.json: >> https://github.com/querqy/chorus/blob/75f153b699855e6e2862900bd4413764f7b6a01e/solr/security.json >> >> <https://github.com/querqy/chorus/blob/75f153b699855e6e2862900bd4413764f7b6a01e/solr/security.json> >> >> And what I am getting back: >> >> 2021-11-02 21:03:27.805 INFO (qtp332699949-17) [] >> o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have >> a permission { >> "name":"all", >> "role":"admin"}, The principal >> JWTPrincipalWithUserRoles{username='4a3d078b-418a-48fc-a26b-80d51f973084', >> token='*****', claims={exp=1635887907, iat=1635887007, auth_time=1635887007, >> jti=cdab53d1-3dc2-4a7a-a98b-83b9b19257e6, >> iss=http://keycloak:9080/auth/realms/chorus, aud=account, >> sub=4a3d078b-418a-48fc-a26b-80d51f973084, typ=Bearer, azp=solr, >> nonce=tawciobxw3parxd0kyjw2p7r8sszymvdx, >> session_state=57f6aea7-f243-4fa3-a6e1-6e83926e65af, acr=1, >> allowed-origins=[http://localhost:8983], >> realm_access={roles=[offline_access, uma_authorization, >> default-roles-chorus]}, resource_access={account={roles=[manage-account, >> manage-account-links, view-profile]}}, scope=openid email profile, >> email_verified=false, name=bob dole, preferred_username=b...@dole.com, >> given_name=bob, family_name=dole, email=b...@dole.com}, roles=[profile, >> email]} does not have the right role >> >> _______________________ >> Eric Pugh | Founder & CEO | OpenSource Connections, LLC | 434.466.1467 | >> http://www.opensourceconnections.com <http://www.opensourceconnections.com/> >> | My Free/Busy <http://tinyurl.com/eric-cal> >> Co-Author: Apache Solr Enterprise Search Server, 3rd Ed >> <https://www.packtpub.com/big-data-and-business-intelligence/apache-solr-enterprise-search-server-third-edition-raw> >> >> This e-mail and all contents, including attachments, is considered to be >> Company Confidential unless explicitly stated otherwise, regardless of >> whether attachments are marked as such. >> > _______________________ Eric Pugh | Founder & CEO | OpenSource Connections, LLC | 434.466.1467 | http://www.opensourceconnections.com <http://www.opensourceconnections.com/> | My Free/Busy <http://tinyurl.com/eric-cal> Co-Author: Apache Solr Enterprise Search Server, 3rd Ed <https://www.packtpub.com/big-data-and-business-intelligence/apache-solr-enterprise-search-server-third-edition-raw> This e-mail and all contents, including attachments, is considered to be Company Confidential unless explicitly stated otherwise, regardless of whether attachments are marked as such.
