[
https://issues.apache.org/jira/browse/SOLR-16230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17547917#comment-17547917
]
Marco commented on SOLR-16230:
------------------------------
Hey Jan. I'm simply following the default Keycloak way to setup a realm, and
the corresponding clients.
So in this case, I have a client _solr_ of type {_}Bearer{_}, which has the
client roles `{_}user{_}` and `{_}admin{_}`. A user `marco`(in this case) then
can either be assigned realm roles, or client roles. So if the user is assigned
the `{_}solr{_}`client role `{_}user{_}` Keycloak maps this to the following
access token (please feel free to have a look at it using
[jwt.io|http://jwt.io]):
{color:#0451a5}eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJENUszcFlpRFh4azUtTHMzYzNQYmhUM1ZxS0xkXzlIbExmRmktbGNSMzBzIn0.eyJleHAiOjE2NTQzMjY0OTcsImlhdCI6MTY1NDMyNjE5NywianRpIjoiNzkxOWNhOWQtZGVhNy00MTRlLTllOTktMDgzOTc2OWYxZjQwIiwiaXNzIjoiaHR0cHM6Ly9tYXJjb3MtbWJwLTIwMTkubXllbGV4aXMuY2gva2V5Y2xvYWsvYXV0aC9yZWFsbXMvRWxleGlzRW52aXJvbm1lbnQiLCJhdWQiOlsic29sciIsImFjY291bnQiXSwic3ViIjoiMTQ0YmRlYWItOWJiZi00N2Q2LTllYzQtNTU5ODJjZDIwZTgyIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicG9zdG1hbiIsInNlc3Npb25fc3RhdGUiOiIyY2JlZGEyOS1mZTU0LTQ2YWUtOTAxOC1kNWNkZGU3ZmY1MTgiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsic29sciI6eyJyb2xlcyI6WyJ1c2VyIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiIyY2JlZGEyOS1mZTU0LTQ2YWUtOTAxOC1kNWNkZGU3ZmY1MTgiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Im1hcmNvIG1hcmNvIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWFyY28iLCJnaXZlbl9uYW1lIjoibWFyY28iLCJmYW1pbHlfbmFtZSI6Im1hcmNvIiwiZW1haWwiOiJkZXNjaGVyQG1lZGV2aXQuYXQifQ.OMI6gRJjoyNFJtZ0pu9NZus9wYPL54nP2WlBIzGIIzB4IyupdbU-Lu3QoAopYFVSxcHCbBS0kB2gVtTVR5WXNdDtUMw9x55b_LIpRYUkGiSY6vTkXyqAw54DrsKjtfDoEt79MT9dBFx3_Dbr7aNJl5-hxjelQ0rZh-RSPMcaYgnZG-LErqLOUIlO3o_FYkEL7KMJCFlmPH7GD8FjFakBSBjczf-U4H8Rr9nykSZHZlaGyfYapMJ4ctrQyAbz_n5wTfrfcQsM3_09slvhBe27aSH01awPqvBg-4wYJUmCqobbH5f2htaw5XrbKf2ax99pXvYvJzqahUnUVZzbh4AcKw{color}
{color:#172b4d}You also see, that there are other client roles assigned for the
client `{_}account{_}`, which is keycloak internal. The _realm_access_ part is
for the roles the user has for the realm itself.{color}
{color:#172b4d}Remark: I'm acquiring this access token via a separate client,
that has the right to gather an access_token. A client of type `{_}Bearer{_}`
such as `{_}solr{_}` in our case, is not capable of acquiring tokens, but only
consuming them.{color}
{color:#172b4d}So I was not directly diving into why they manage it this way,
but I'm only trying to follow the default here, and making it consumable in
SOLR.{color}
> JWT-Auth: Support for Keycloak-Style nested roles
> -------------------------------------------------
>
> Key: SOLR-16230
> URL: https://issues.apache.org/jira/browse/SOLR-16230
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication, Authorization
> Affects Versions: 8.11.1
> Environment: Solr 8.11 with Keycloak 16.1.1
> Reporter: Marco
> Assignee: Jan Høydahl
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The _rolesClaim_ for a JWT Token, as documented in
> [https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html#configuration-parameters,]
> does not support "nested roles".
> That is, consider the following claim, as returned by
> [keycloak|[https://www.keycloak.org/]] if the user has the role _user_ for
> the client {_}solr{_}:
> {{"resource_access": {}}
> {{ "solr": {}}
> {{ "roles": [}}
> {{ "user"}}
> {{ ]}}
> {{ },}}
> {{ "account": {}}
> {{ "roles": [}}
> {{ "manage-account",}}
> {{ "manage-account-links",}}
> {{ "view-profile"}}
> {{ ]}}
> }
>
> Here a nested roles claim would have to apply to match. Something like
> _rolesClaim="resource_access.solr.roles"_
> This is currently not supported. I am working on a Pull Request.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
