diff --git a/docs/src/main/asciidoc/security-keycloak-authorization.adoc b/docs/src/main/asciidoc/security-keycloak-authorization.adoc index 484011513f8d7..4961b34659e8a 100644 --- a/docs/src/main/asciidoc/security-keycloak-authorization.adoc +++ b/docs/src/main/asciidoc/security-keycloak-authorization.adoc @@ -167,6 +167,8 @@ quarkus.oidc.credentials.secret=secret quarkus.keycloak.policy-enforcer.enable=true ---- +NOTE: By default, applications using the `quarkus-oidc` extension are marked as a `service` type application (see `quarkus.oidc.application-type`). This extension currently supports only such `service` type applications. + == Starting and Configuring the Keycloak Server To start a Keycloak Server you can use Docker and just run the following command: diff --git a/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerBuildStep.java b/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/deployment/KeycloakPolicyEnforcerBuildStep.java similarity index 52% rename from extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerBuildStep.java rename to extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/deployment/KeycloakPolicyEnforcerBuildStep.java index bef2ae0d9e5ea..7de9e80705c7f 100644 --- a/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerBuildStep.java +++ b/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/deployment/KeycloakPolicyEnforcerBuildStep.java @@ -1,4 +1,4 @@ -package io.quarkus.keycloak.pep; +package io.quarkus.keycloak.pep.deployment; import io.quarkus.arc.deployment.AdditionalBeanBuildItem; import io.quarkus.arc.deployment.BeanContainerBuildItem; @@ -7,6 +7,10 @@ import io.quarkus.deployment.annotations.Record; import io.quarkus.deployment.builditem.EnableAllSecurityServicesBuildItem; import io.quarkus.deployment.builditem.FeatureBuildItem; +import io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer; +import io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerConfig; +import io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder; +import io.quarkus.oidc.OIDCException; import io.quarkus.oidc.runtime.OidcConfig; public class KeycloakPolicyEnforcerBuildStep { @@ -17,9 +21,12 @@ FeatureBuildItem featureBuildItem() { } @BuildStep - public AdditionalBeanBuildItem beans() { - return AdditionalBeanBuildItem.builder().setUnremovable() - .addBeanClass(KeycloakPolicyEnforcerAuthorizer.class).build(); + public AdditionalBeanBuildItem beans(KeycloakPolicyEnforcerConfig config) { + if (config.policyEnforcer.enable) { + return AdditionalBeanBuildItem.builder().setUnremovable() + .addBeanClass(KeycloakPolicyEnforcerAuthorizer.class).build(); + } + return null; } @BuildStep @@ -31,6 +38,11 @@ EnableAllSecurityServicesBuildItem security() { @BuildStep public void setup(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config, KeycloakPolicyEnforcerRecorder recorder, BeanContainerBuildItem bc) { - recorder.setup(oidcConfig, config, bc.getValue()); + if (!oidcConfig.getApplicationType().equals(OidcConfig.ApplicationType.SERVICE)) { + throw new OIDCException("Application type [" + oidcConfig.getApplicationType() + "] not supported"); + } + if (config.policyEnforcer.enable) { + recorder.setup(oidcConfig, config, bc.getValue()); + } } } diff --git a/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/KeycloakReflectionBuildStep.java b/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/deployment/KeycloakReflectionBuildStep.java similarity index 98% rename from extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/KeycloakReflectionBuildStep.java rename to extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/deployment/KeycloakReflectionBuildStep.java index 7f431491514c2..9bc5340dc1786 100644 --- a/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/KeycloakReflectionBuildStep.java +++ b/extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/deployment/KeycloakReflectionBuildStep.java @@ -1,4 +1,4 @@ -package io.quarkus.keycloak.pep; +package io.quarkus.keycloak.pep.deployment; import org.keycloak.adapters.authentication.ClientCredentialsProvider; import org.keycloak.adapters.authentication.ClientIdAndSecretCredentialsProvider; diff --git a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerAuthorizer.java b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java similarity index 99% rename from extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerAuthorizer.java rename to extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java index 8706578889f9b..3c65573fda95e 100644 --- a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerAuthorizer.java +++ b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java @@ -1,4 +1,4 @@ -package io.quarkus.keycloak.pep; +package io.quarkus.keycloak.pep.runtime; import java.security.Permission; import java.util.HashMap; @@ -39,7 +39,6 @@ public CompletionStage checkPermission(RoutingContext request, Secu @Override public CheckResult apply(RoutingContext routingContext, SecurityIdentity identity) { - VertxHttpFacade httpFacade = new VertxHttpFacade(routingContext); AuthorizationContext result = delegate.authorize(httpFacade); diff --git a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerConfig.java b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerConfig.java similarity index 97% rename from extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerConfig.java rename to extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerConfig.java index 732084fdc6537..9f6545124b69f 100644 --- a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerConfig.java +++ b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerConfig.java @@ -1,4 +1,4 @@ -package io.quarkus.keycloak.pep; +package io.quarkus.keycloak.pep.runtime; import java.util.List; import java.util.Map; @@ -26,7 +26,7 @@ public class KeycloakPolicyEnforcerConfig { * Policy enforcement configuration when using Keycloak Authorization Services */ @ConfigItem - KeycloakConfigPolicyEnforcer policyEnforcer; + public KeycloakConfigPolicyEnforcer policyEnforcer; @ConfigGroup public static class KeycloakConfigPolicyEnforcer { @@ -35,7 +35,7 @@ public static class KeycloakConfigPolicyEnforcer { * Enables policy enforcement. */ @ConfigItem - boolean enable; + public boolean enable; /** * Specifies how policies are enforced. diff --git a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerRecorder.java b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerRecorder.java similarity index 90% rename from extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerRecorder.java rename to extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerRecorder.java index 1b25bb9364976..1a6736eff9b3d 100644 --- a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/KeycloakPolicyEnforcerRecorder.java +++ b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerRecorder.java @@ -1,4 +1,4 @@ -package io.quarkus.keycloak.pep; +package io.quarkus.keycloak.pep.runtime; import io.quarkus.arc.runtime.BeanContainer; import io.quarkus.oidc.runtime.OidcConfig; diff --git a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/VertxHttpFacade.java b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/VertxHttpFacade.java similarity index 97% rename from extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/VertxHttpFacade.java rename to extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/VertxHttpFacade.java index 2bf551cc4f504..78a8b5fb934fa 100644 --- a/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/VertxHttpFacade.java +++ b/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/VertxHttpFacade.java @@ -1,4 +1,4 @@ -package io.quarkus.keycloak.pep; +package io.quarkus.keycloak.pep.runtime; import java.io.BufferedInputStream; import java.io.ByteArrayInputStream; @@ -20,6 +20,7 @@ import org.keycloak.representations.AccessToken; import io.netty.handler.codec.http.HttpHeaderNames; +import io.quarkus.oidc.AccessTokenCredential; import io.quarkus.security.credential.TokenCredential; import io.quarkus.security.identity.SecurityIdentity; import io.quarkus.vertx.http.runtime.security.QuarkusHttpUser; @@ -216,7 +217,7 @@ public KeycloakSecurityContext getSecurityContext() { } SecurityIdentity identity = user.getSecurityIdentity(); - TokenCredential credential = identity.getCredential(TokenCredential.class); + TokenCredential credential = identity.getCredential(AccessTokenCredential.class); if (credential == null) { return null;