Authorization Keycloak


#1

Hi!

I’m logging into Squidex with Keycloack and work fine, but now I need to give to the user admin privileges. How can I do that in Keycloack? With roles, with authorization …?

Thanks.


#2

You have to add permissions as urn:squidex:permissions client.

Here is a list of all permissions: https://github.com/Squidex/squidex/blob/master/src/Squidex.Shared/Permissions.cs


#3

Hi Sebastian!
First of all thanks for your answer, but can you be more specific.

Can you give me more info?

I have this configuration:


Do you refer on resources tab?


#4

No, you have to go to your user and then to claims.


#5

Can you show me an example please.
I tried this configuration:


Thanks


#6

You always have to login and logout again and you have to tell keycloak to return this claim (or claim type) for your client.

We can have a skype session today 8pm (german time) or Monday.


#7

I did login and logout, I restarted the squidex and keycloak, and I had the same result.


#8

I am not an expert. But I think you have to create:

  • A scope permission
  • A mapping for this scope to return the urn:squidex:permissions claims.
  • Request the permission scope when you create a token manually.

#9

After do the configurations I havethis token from Keycloak:

{
“jti”:“2c919742-f918-41f5-b44e-641cef1d125a”,
“exp”:1567168851,
“nbf”:0,
“iat”:1567168551,
“iss”:“http://auth.ubi.local/auth/realms/dan”,
“aud”:“account”,
“sub”:“dd701a20-a71d-41b7-b213-7845dfc88ee1”,
“typ”:“Bearer”,
“azp”:“angular”,
“auth_time”:0,
“session_state”:“99e28890-a975-490b-a916-5185a4f5ff71”,
“acr”:“1”,
“allowed-origins”:[
http://data.ubi.local
],
“realm_access”:{
“roles”:[
“offline_access”,
“uma_authorization”
]
},
“resource_access”:{
“account”:{
“roles”:[
“manage-account”,
“manage-account-links”,
“view-profile”
]
}
},
“scope”:“openid permission profile email”,
“urn:squidex:permissions”:“squidex.admin.*”,
“email_verified”:true,
“name”:“NAME”,
“preferred_username”:“USERNAME”,
“given_name”:“NAME”,
“email”:“EMAIL”
}


#10

After login on Squidex I have this token:

{
“nbf”: 1567163445,
“exp”: 1567167045,
“iss”: “http://data.ubi.local/identity-server”,
“aud”: [
http://data.ubi.local/identity-server/resources”,
“squidex-api”
],
“client_id”: “squidex-frontend”,
“sub”: “5d668fe3109bff00012f6341”,
“auth_time”: 1567163445,
“idp”: “ExternalOidc”,
“email”: “EMAIL”,
“scope”: [
“openid”,
“profile”,
“email”,
“squidex-profile”,
“role”,
“permissions”,
“squidex-api”
],
“amr”: [
“external”
]
}

Weird thing don’t you think?


#11

Sorry, I think I made a big mistake.

Keycloak is just like another third party authentication provide like Google or Github. So there are actual 2 identity servers. Keycloak and the integrated identity server.

The permissions itself are usually handled in Squidex. (can you check the database?) The first admin should get the admin permissions. I am not sure if you can give the permissions in keycloak. If it is needed I can have a look but I am not sure when I have time for that.


#12

I gave permission directly to user on Squidex, and work fine.

I did another test: I created a new user with the permission on Keycloak and then when I did the first login the info passed to Squidex.

But what I want is: be able to manage permissions on Keycloak and sync with Squidex.

As far I can realise with our conversation, actually it’s not possible, but its something that you think is feasible to add on roadmap?


#13

it is feasible and probably a 30min task. I will have a look.

EDIT: I am probably wrong. The problem is that the user is generated in Squidex the first time you login with keycloak. I could transfer the claims then, but the next time the user logs in there would be no claims transfer.