Comments (8)
Oh okay, sorry, seems I got you wrong after all. Your request is legit and will be considered for implementation, it indeed increases the flexibility. A pull request from your side would be appreciated 😊 otherwise we will leave this open as an enhancement until either me or someone else finds the time to implement this
from fastapi-keycloak.
I'm trying to play around with this since we also need the client roles for access control. My first step is to define a property that returns the roles for the client. Given that the user can have different roles in multiple clients, I assumed that the current client is the azp
. The property code looks similar to how the realm roles property is defined in OIDCUser.
# in class OIDCUser
azp: str
...
@property
def client_roles(self) -> List[str]:
"""Returns the roles of the user in the current authorized party
Returns:
List[str]: If the resource access dict contains roles for the current authorized party.
"""
if not self.azp:
raise KeycloakError(
status_code=404,
reason="The 'azp' section of the provided access token is missing",
)
if not self.resource_access:
raise KeycloakError(
status_code=404,
reason="The 'resource_access' section of the provided access token is missing",
)
if not self.resource_access[self.azp]:
raise KeycloakError(
status_code=404,
reason=f"The 'resource_access' section of the provided access token did not contain the client {self.azp}.",
)
try:
return self.resource_access[self.azp]["roles"]
except KeyError as e:
raise KeycloakError(
status_code=404,
reason=f"The 'resource_access' section of the provided access token did not contain any 'roles' for {self.azp}.",
) from e
My problem right now is I'm not really sure if the azp
will always be included in the token since it is optional by definition (see https://openid.net/specs/openid-connect-core-1_0.html#IDToken).
azp
OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.
from fastapi-keycloak.
Hey @albanlienart,
I believe this inquiry is not related to this package. However, we have another package, that focuses on the described use case: FastAPI Auth Middleware. Check out https://fastapi-auth-middleware.code-specialist.com/examples/simple_with_scopes/ for a specific example. I hope I got you right.
Please close this issue if that resolved your question 🙂
from fastapi-keycloak.
Hey @yannicschroeer ,
Thanks for the quick reply !
It is related, I was just wondering if we can check some custom roles coming from other clients from keycloak. It is similar to what already exists, I would just give a bit more flexibility ;)
But the package you mention seems interesting, I'll have a look !
from fastapi-keycloak.
Well, if you want to use custom roles, it is by definition not related to keycloak and thereby not this package. You can use your own roles by managing them via keycloak, but if you want to use custom roles from another client, you will need a custom implementation or another package, as this one focuses on keycloak. I can understand your motivation but I don't see that in the scope of this package.
from fastapi-keycloak.
I was speaking about custom roles that you can define inside keycloak. When you create a new client inside keycloak, you can define roles related to that client. I'm speaking about those roles.
Anyway, I guess the package you mention can be used to do so. On my side, I implemented a custom role verifying function to not depend upon too many external dependencies.
Thanks for your interactions!
from fastapi-keycloak.
Hi @edgarfelizmenio ,
Do you have started a branch somewhere for a PR?
from fastapi-keycloak.
I made a small PR, inspired from @edgarfelizmenio idea
The returned roles are now the concatenation of the following:
- everything in realm_access["roles"]
- everything in resource_access[azp]["roles"] (only when azp is defined)
from fastapi-keycloak.
Related Issues (20)
- realmRoles Field required HOT 4
- Why admin_client_secret? HOT 2
- Support other OAuth2 auth schemes than `OAuth2PasswordBearer`
- fastapi_keycloak.exceptions.KeycloakError: HTTP 403: {'error': 'unauthorized_client', 'error_description': 'Invalid client secret'} HOT 1
- Create clients from library HOT 1
- Question: 2FA support
- required_roles param in get_current_user method. Add OR condition
- unable to connect to keycloak server HOT 2
- The `realm-export.json` file in the documentation website needs to be updated
- fastapi-keycloak docs outdated?
- Unable to pip install from python docker images HOT 2
- Can we pass dynamic realm, client_id and client_secret params to FastAPIKeycloak class
- Cannot install from sources: distutils.errors.DistutilsOptionError: No configuration found for dynamic 'description'.
- Trying to run quickstart example, got error The 'realm_access' section of the provided access token is missing on /admin method HOT 7
- how to assign client roles to a user HOT 3
- Adde introspect token from server HOT 1
- Issue with Keycloak v20+ 'access required was not contained' HOT 4
- Refresh token HOT 2
- /protected return Not authenticated HOT 1
- password -> tokenUrl none is not an allowed value HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastapi-keycloak.