I have an application that exposes static pages at different paths. My goal is to filter the access based on the user’s group, such as group1 has access to host.com/group1/* paths.
My environment if relevant:
- All following services are deployed in a self hosted kubernetes cluster
v1.26 - My target application exposes static html pages at
host.com/group1/,/group2/… ect - Keycloak version
20.0.5deployed with the bitnami helm chart - Nginx proxy for the ingress
- Oauth2 proxy for communication bewteen nginx and keycloak
Right now, I have created a realm, the group ‘group1’, two users, only one in the group.
I then created an OpenID Connect client, configured the proxies to catch all requests to host.com to go through keycloak validation.
My client has the following Authorization configured :
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "Dashboard Group1",
"ownerManagedAccess": false,
"attributes": {},
"_id": "8cd7b731-1f03-4642-9bc9-a580b78a48d7",
"uris": [
"/group1/*"
],
"scopes": [
{
"name": "Group1"
}
],
"icon_uri": ""
}
],
"policies": [
{
"id": "b339d4aa-2733-4fe1-bfd7-41e7d2c67cf2",
"name": "Group1",
"description": "",
"type": "group",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"groups": "[{\"path\":\"/group1\",\"extendChildren\":false}]",
"groupsClaim": ""
}
},
{
"id": "71a30af3-b47e-4069-a5cc-6666cf58bb0d",
"name": "Group1",
"description": "",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"defaultResourceType": "",
"resources": "[\"Dashboards Group1\"]",
"applyPolicies": "[\"group1\"]"
}
}
],
"scopes": [
{
"id": "c3da6a22-c58b-41b6-ac41-7b0561715c94",
"name": "Group1",
"iconUri": ""
}
],
"decisionStrategy": "UNANIMOUS"
}
Problem ! When I access a page at host.com/group1/, I get redirected to Keycloak to sign in, and then I can access the page with both users (in the group1 or not).
What am I doing wrong ?
Thanks