feature : OAuth Authorization plugin for Keycloak

[sshniro]

Issue description

Keycloak is an Identity Server from RedHad based on OAuth/OIDC. Keycloak provides a very powerful policy engine for Authorization. It can support Roles based, Attribute-based, and Dynamic authorization strategies.

The following image shows how APISIX can be integrated with Keycloak Server.

The following is a proposed schema for the authz-keycloak plugin:

curl http://127.0.0.1:9080/apisix/admin/routes/5  -X PUT -d '
{
    "uri": "/get",
    "host": "httpbin.org",
    "plugins": {
        "authz-keycloak": {
          "token_endpoint": "token_endpoint_url",
          "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
          "enforcement_policy": "Permissive OR Enforcing",
          "permissions": [{"resourse_name#scope_1_name"}, {{"resourse_name#scope_2_name"}}]
        }
    },
    "upstream_id": 50
}'

Policy enforcing mode will reject calls that do not have associated permissions and Permissive enforcement policy will allow the API call if no permission is tied with the resource/path.

It's not mandatory to provide the permissions but if not provided APISIX should call Keycloak twice to first identify the protected resource path and in the second call to evaluate the permissions.

I would like to contribute to this plugin and would like to hear the thoughts of the community.

[moonming]

LGTM
@chnliyong please take a look, thx

[chnliyong]

This looks like a subset of PEP.

I fell little confused, what's the relationship of the permissions array and the requested method+uri.

[sshniro]

Yes @chnliyong its the implementation of PEP to enforce policies for API calls. Keycloak only provides adapters for Java and JS.

Keycloak provides the above API to check if you have permission to access a resource or not.
By, passing in the response_mode as decision will result in a 200 or 403 response based on the permission assigned to that operation.

In the official authorization adapter, you can define the scopes and paths for your resources and Keycloak internally makes these API calls to check if you have the permission to the required scope and resource. Also, in the Keycloak policy enforcer file, you can opt-out to not to define the paths. Then the adapters do a lazy loading to fetch the matching paths and resources dynamically.

The following image shows a sample configuration of Keycloak JSON with matching paths, methods, and scopes:

Therefore, as the first implementation, I propose to implement the authorization flow by having the definitions of what is the resource and scope needed to access a route, and future enhancements would support the lazy loading of paths and permissions.

Please do have a look at the unit tests of the PR on how the authorization is enforced.

The following is a reference from the Keycloak adapter on how it tries to find the relevant resources by trying to match the URI.