I have many services running currently without any authentication for any of their endpoints. I don’t want to touch the codebase of those services so I decided to have a relay server which will be registered as a client in keycloak and this client will have authorization enabled and have registered all the endpoints from all the services as seperate resources.
This is how I currently represent my infrastructure on keycloak:
only one client in the realm, the client has a resource for each service of type urn:service. They have the attribute base_url to let the relay server know where the service currently is. I also have resources representing each endpoint of the type <service_name>:endpoint. I have created permissions, policies, roles and users to have granular control over which user has access to which resources (representing endpoints).
I configured permissions for each endpoint (resource). I created roles and assigned it to the user. I have also created policies to allow users with particular roles to particular endpoints. Now I wanted relay server to be stateless and not store any config by itself. I have configured it so that the user is able to hit the /login endpoint and be redirected to keycloak where they enter thier credentials, return with the auth code which is exchanged for the access and refresh tokens. Next the user should be able to hit /servicename/endpoint and the server should relay the requests and responses.
What I am having trouble with is fetching the resource name that represents the resource based on the endpoint. Is there a way to do it? I could not find any material on this. If not, I thought mayby I’ll login as the client through direct access grants and fetch the full list of resources and find it from there but the client does not have access to it’s own resources? why is that?
When I hit the localhost:8080/admin/realms/:realm/clients/:client-uuid/authz/resource-server/resource endpoint with the client’s access token, I get 403. I can get the list of resoruces if I use an access token for the admin user.
Next, I want to check if the policies permit the logged in user to access the resource. I had hoped the http://localhost:8080/admin/realms/:realm/clients/:client-uuid/authz/resource-server/policy/evaluate endpoint could help me but it does not have any way to filter based on the resource. Every time I want to check, all the policies are evaluated. This won’t be scalable for more than a few services.
I want the relay to be stateless so all the above needs to happen on every request.
Is there a different way to represent my infrastructure on keycloak? I tried using one resource for each service and attaching many scopes to them but scopes don’t have uri assosiated with them nor can they have custom attributes where I can define them so I thought that won’t be feasable.
TLDR of my queries:
is there a way to get a the resource name or id based on the uri?
is there a way to get a list of resources the client has when I log in as the client itself? (direct access grant) (why isn't the possible or the default. it seems logical to allow the client to see what resources it has)
Is there a way to evaluate if a given user has access to a particular resource based on the policies defined?
Is there a way to represent my infrastructure in a better way?
If it helps, I am currently implementing the relay server with flask but enventually I want to host just the function as a aws lambda function