Add support for per route authorization #2011
Conversation
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
Relevant! Already 60 days… time flies. |
| expectedAuthZ: true, | ||
| }, | ||
| { | ||
| name: "MoreSpecificPathMatches", |
There was a problem hiding this comment.
Equating "more specific" to "longer prefix match" is ambiguous and potentially misleading?
Which is "more specific" - /administration or /admin/a/b? I think most people would say the latter, because it is 'deeper'. But given a rule for /administration and a rule for /admin/a/b, your code will pick the former as being "more specific" and hence the rule that is used.
An alternative to consider would be to use the first match in the list?
(I'm not associated with the project, this is a drive-by comment!)
There was a problem hiding this comment.
This makes sense indeed. Maybe we should allow globing or regex. It’s more cognitive load on the user but at the same time the contract is clear.
There was a problem hiding this comment.
I can imagine some use cases might benefit from regex/glob matching. But I think it's an orthogonal question - you could still have multiple matches and need a way to pick one, i.e. first wins.
There was a problem hiding this comment.
I see what you mean. Probably first wins is more intuitive.
|
This feature would be super useful. What needs to be done to attract some feedback from the maintainers? |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
still relevant! |
|
Exactly what I was looking for. Please get this merged into oauth2-proxy! |
|
That is exactly what we need. We have a lot a tools which don't support authentication but we need oauth2_proxy to protected it based on users groups. |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
Would love to get this merged although TBH I since switched from Keycloak to Authelia which does support this out of the box :/ |
|
@ibizaman great stuff! +1 for merging into the main branch from me! I was going to make a similar fork by myself. However, my idea was to keep a configuration untouched and manage per-route roles on the reverse-proxy like: location /my-location {
set $roles "admin,viewer,commentor";
# auth_request block with some additional params ...
# proxying logic ...
}
location = /oauth2/auth {
# pass the roles to the oauth2-proxy somehow (in headers?) ...
# auth logic ...
}I haven't tried my version yet 😄 |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
Would love to get this merged too ❤️ |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
@ibizaman does your 👍 on the bot's post mean you don't think this is worth pursuing any more? Personally I don't need it any more but seems like a useful feature still? |
|
@sebwills there was a bit of regnisation indeed. I’m not using this project anymore but I’d be happy to get to merging it if there is some interest for it. |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
I would love to see this feature added, it would be extremely useful. |
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
would love to have this feature as well! |
|
Coming from louketo-proxy/keycloak-proxy/keycloak-gatekeeper, this feature would help a great deal setting up oauth2-proxy for my apps! |
|
Would love for this to be added in! Hopefully this isn't stale. @JoelSpeed |
|
hope to have this feature. |
Description
Add the possibility to associate a group - and/or role for
Keycloak-OIDC - with a path prefix. This means we can have fine
grained control over which group and/or role to allow per request
path.
The following configuration:
Gets mapped internally to:
So only those having the role
adminorsuperadmincan accessanything under the
/adminpath.Same thing when substituting "role" for "group".
A few caveats:
allowed_groupsandallowed_rolessyntax to
[<path>|]<name>. This choice is completely arbitrary andcan be changed if something else makes more sense.
group_path_separatorargument to let the user choose anotherseparator and default it to
|.matching, etc. Why? It was simpler to get a PoC out of the door. I'm
happy to extend this to other use cases I didn't think about, of
course.
Motivation and Context
This feature allows more fine-grained control on what path is
accessible to what users.
It allows oauth2-proxy to become an even more indispensable building
block to protect apps because we can rely on oauth2-proxy to implement
security that was only possible in-app beforehand, freeing the
developers to work on their business use case.
But more importantly, at least for my use case, we can add protection
over apps that we cannot update. For example, here I wanted to protect
a Vaultwarden instance that does not handle SSO
yet. Alos,
Vaultwarden exposes an admin UI under
/adminpath. I wanted to addSSO in front of the whole Vaultwarden UI but also to protect the
/adminpath with stricter role. This PR makes this possible.How Has This Been Tested?
First, I added some unit tests.
Also, I deployed oauth2-proxy in front of a Vaultwarden service. oauth2-proxy's config included in particular:
The Keycloak instance has two user:
useradminwhich is acomposite role including the
userrole.When logging with "lowpriviledge", I can access the normal Vaultwarden
UI under
/path while I get a 403 if I try to access anything under/admin. While with "highpriviledge" I can access the whole UI.Checklist:
I purposely didn't add documentation yet as I wanted to gather
feedback first. But I'll of course add some when we settle on what
arguments to have and such.