Required custom roles #46
Comments
|
Hey @albanlienart, I believe this inquiry is not related to this package. However, we have another package, that focuses on the described use case: FastAPI Auth Middleware. Check out https://fastapi-auth-middleware.code-specialist.com/examples/simple_with_scopes/ for a specific example. I hope I got you right. Please close this issue if that resolved your question 🙂 |
|
Hey @yannicschroeer , Thanks for the quick reply ! But the package you mention seems interesting, I'll have a look ! |
|
Well, if you want to use custom roles, it is by definition not related to keycloak and thereby not this package. You can use your own roles by managing them via keycloak, but if you want to use custom roles from another client, you will need a custom implementation or another package, as this one focuses on keycloak. I can understand your motivation but I don't see that in the scope of this package. |
|
I was speaking about custom roles that you can define inside keycloak. When you create a new client inside keycloak, you can define roles related to that client. I'm speaking about those roles. Anyway, I guess the package you mention can be used to do so. On my side, I implemented a custom role verifying function to not depend upon too many external dependencies. Thanks for your interactions! |
|
Oh okay, sorry, seems I got you wrong after all. Your request is legit and will be considered for implementation, it indeed increases the flexibility. A pull request from your side would be appreciated 😊 otherwise we will leave this open as an enhancement until either me or someone else finds the time to implement this |
yannicschroeer
added
the
pull requests welcome
|
I'm trying to play around with this since we also need the client roles for access control. My first step is to define a property that returns the roles for the client. Given that the user can have different roles in multiple clients, I assumed that the current client is the # in class OIDCUser
azp: str
...
@property
def client_roles(self) -> List[str]:
"""Returns the roles of the user in the current authorized party
Returns:
List[str]: If the resource access dict contains roles for the current authorized party.
"""
if not self.azp:
raise KeycloakError(
status_code=404,
reason="The 'azp' section of the provided access token is missing",
)
if not self.resource_access:
raise KeycloakError(
status_code=404,
reason="The 'resource_access' section of the provided access token is missing",
)
if not self.resource_access[self.azp]:
raise KeycloakError(
status_code=404,
reason=f"The 'resource_access' section of the provided access token did not contain the client {self.azp}.",
)
try:
return self.resource_access[self.azp]["roles"]
except KeyError as e:
raise KeycloakError(
status_code=404,
reason=f"The 'resource_access' section of the provided access token did not contain any 'roles' for {self.azp}.",
) from eMy problem right now is I'm not really sure if the
|
|
Hi @edgarfelizmenio , |
|
I made a small PR, inspired from @edgarfelizmenio idea The returned roles are now the concatenation of the following:
|
In the Quickstart code example we can see that for the admin endpoint, the user needs to have the "admin" role assigned in order to proceed. This is a great feature.
However, from what I noticed, this function checks only the roles that we can find under "realm_access" -> "roles".
There are also other roles that can be found under "resource_access" for each defined client in keycloak.
How can I create this filter based on roles with a custom keycloak client that has its own custom roles?
Thanks in advance for your reply!
The text was updated successfully, but these errors were encountered: