In the past few days I have been evaluating Keycloak in order to to be used in our organization because of the strong integration with Shinyproxy.
I was able to successfully configure a few apps via oidc (Shinyproxy and Flask-Appbuilder) for authentication, what I am working on right now is the authorization part.
What I can’t figure out is how to protect a resource via roles.
Here is an example: I configured a new confidential client to be able to authenticate against Keycloak with Flask-Appbuilder (which is based on Flask and has built in integration with openid-connect).
What I would like to do is be able to do is deny access to this whole client if a user does not belong to a certain group. I have tried to configure a policy and a permission like explained in the manual but the user is still able to login. Does this mean that in order to have this type of authorization the app itself needs to implement this via an adapter?
Also in the documentation it says that it’s possible to edit the Default policy but in my installation I can only delete a Default policy, if I open it to edit everything is grayed out.
Please correct me if I’m wrong but it looks like the only way to allow/deny access to a client based on a role server-side would be to implement a javascript authenticator provider.
I though I could get away with using a “Condition - User Role” execution but it seems not to do what I am expecting…
I’m having the same issue, the “Condition - User Role” just does not work as expected. Did you find a solution? I’m thinking I will have to implement a Authentication Provider here…
This is an older topic, but the recent documentation updates they made make it much clearer, albeit still not that great.
Essentially, what works well for me, is that you want to do the opposite of what you are looking for. you want to deny people who dont have the role, not allow people that do have the role (like you would normally think).
In this example, there is a Conditional sub-flow to do the role check.
The first execution role check they have checks for the role, and it NEGATES it. So while you want to find people with this role, you need to do so in the opposite way.
So based on the above flow, if I do not have that role, then the Deny below the role check will end up denying me. But if i do have the role, then the Deny doesnt get processed, and I move past it.