Support for Keycloak Role permission

[bakousylla]

Hello,

I want to thanks for this great work!

We are facing the same issue than here : https://github.com/zmartzone/mod_auth_openidc/issues/297

Keycloak OAuth2 server send user's roles:

in the access token,
in the json structure : realm_access.roles[]
So we would like to have a base url filtered on a specific role, something like :

AuthType openid-connect
Require valid-user
Require claim realm_access.roles:MY_APP_ROLE
But it's not working and all not authorized users can access on my application. Could you have the solution for this issue ?
Thanks on advance.

Environment
Name : mod_auth_openidc
Arch : x86_64
Version : 2.4.11.1
Release : 1.el7

Name : httpd
Arch : x86_64
Version : 2.4.52
Release : 1.amzn2

Operating System: Amazon Linux 2
Kernel: Linux 4.14.273-207.502.amzn2.x86_64

[zandbelt]

You can use a User Realm Role mapper to add role information to the id_token and/or the information returned from the userinfo endpoint. That information can then be used in Require claim directives to grant access only to users with specific roles.

FWIW: by design the access token is meant to be opaque to the OAuth 2.0 Client i.e. mod_auth_openidc so you should not be looking to pull claims from there.

[bakousylla]

sorry for my mistake is not the access_token but the id_token, I share with you my config and my id_token claim, maybe I have some mistake on the config

Config

OIDCRedirectURI https://${PUBLIC_HOST}/auth/oidc
OIDCCryptoPassphrase ${OIDC_PASSPHRASE}
OIDCProviderMetadataURL ${OIDC_METADATA_URL}
OIDCClientID ${OIDC_CLIENT_ID}
OIDCClientSecret ${OIDC_CLIENT_SECRET}
OIDCSessionInactivityTimeout 7200
OIDCSessionMaxDuration 57600
OIDCAuthRequestParams claims=%7B%22id_token%22%3A%7B%22groups%22%3A%7B%22essential%22%3Atrue%7D%7D%7D
<Location />
AuthType openid-connect
Require claim groups:my_role_app
Require valid-user
</Location>

Claim

{
"exp": 1650359743,
"iat": 1650359443,
"auth_time": 0,
"jti": "05c2008d-a015-433c-9208-5fbb224cf64a",
"iss": "https://myserver/auth/realms/kering",
"aud": "myserver",
"sub": "893770bc-55cc-4fbc-848c-928b510404b0",
"typ": "ID",
"azp": "myserver",
"session_state": "13b16311-5836-4d5b-8c20-92d8148af5b6",
"at_hash": "FApMrHKsx76nks3S_SD0uA",
"acr": "1",
"email_verified": false,
"roles": [
"access",
"Op",
"User",
"Viewer",
"Public",
"Admin",
"read-token",
"manage-account",
"manage-account-links",
"view-profile"
],
"name": "Test Test",
"groups": [
"my_role_app",
"offline_access",
"uma_authorization"
],
"preferred_username": "[email protected]",
"given_name": "Test",
"family_name": "Test",
"email": "[email protected]"
}

[bakousylla]

Hello @zandbelt,
Have you some ideas for my mistake or misconfig ?

The authentification is ok but the filter with Require claim groups:my_role_app is not worked.

[zandbelt]

as mentioned:

You can use a User Realm Role mapper to add role information to the id_token and/or the information returned from the userinfo endpoint.

[bakousylla]

thanks @zandbelt , I've solved the issue