Using Quarkus Standard Security Authorization with Keycloak

Thomas Darimont

unread,

Oct 14, 2022, 9:19:09 AM10/14/22

to Keycloak Dev

Hello Keycloak Developers,

I just found an easy way to use quarkus route based security authorization [1] feature with Keycloak.

It turns out that the security authorization feature is provided by the quarkus-security module, which is currently missing in keycloak.

In my custom Keycloak server build [2] I just need to include a dependency to quarkus-security (and it's dependency quarkus-mutiny) and then I can protect keycloak routes with simple quarkus configuration [3]

# Protect admin routes

quarkus.http.auth.permission.adminConsole.enabled=false #true
quarkus.http.auth.permission.adminConsole.paths=/auth/admin/*
quarkus.http.auth.permission.adminConsole.policy=deny

# Protect welcome page
quarkus.http.auth.permission.welcomePage.enabled=true
quarkus.http.auth.permission.welcomePage.paths=/auth,/auth/
quarkus.http.auth.permission.welcomePage.policy=deny

I think this could be easily added to the standard keycloak distribution - perhaps with some additional configuration mapping to make those policies configurable via keycloak.conf

Looking forward to your feedback :)

Cheers,

Thomas

[1] https://quarkus.io/guides/security-authorization

[2] https://github.com/thomasdarimont/keycloak-custom-server

[3] https://github.com/thomasdarimont/keycloak-custom-server/blob/main/src/main/copy-to-keycloak/conf/quarkus.properties#L12

Tobias Häfner

unread,

Oct 17, 2022, 2:24:50 AM10/17/22

to Keycloak Dev

Hello Thomas,

good work. I think that would be a very nice feature.

Best regards

Tobias

Stian Thorgersen

unread,

Oct 17, 2022, 9:04:56 AM10/17/22

to Thomas Darimont, Keycloak Dev

Maybe I'm missing something, but I don't see what this is solving. Admin endpoints can already be disabled through profile/feature, and we can easily add the same for welcome page.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/c355bb44-fd2f-46ce-a55a-18b80388aaecn%40googlegroups.com.

Thomas Darimont

unread,

Oct 17, 2022, 9:20:57 AM10/17/22

to stho...@redhat.com, Keycloak Dev

Hello Stian,

protecting the admin endpoints was just an example. What I wanted to show was that we can leverage quarkus support for protecting endpoints like custom resources, welcome page, disable access to endpoints which are not controllable with a feature flag etc.

Additionally users could implement their own SecurityCheck's via the io.quarkus.security.spi.runtime.SecurityCheck (e.g. restrict access to an endpoint to internal IP, or expect certain headers etc.) without requiring additional infrastructure.

Of course users could always use a reverse proxy for this or implement custom JAX-RS filters [2], but I think having support for protecting individual endpoints with a simple configuration would also be useful.

Cheers,

Thomas

[1] https://github.com/quarkusio/quarkus/blob/main/extensions/security/runtime-spi/src/main/java/io/quarkus/security/spi/runtime/SecurityCheck.java

[2] https://github.com/thomasdarimont/keycloak-project-example/blob/main/keycloak/extensionsx/src/main/java/com/github/thomasdarimont/keycloakx/custom/security/AccessFilter.java

Thomas Darimont

unread,

Oct 17, 2022, 9:27:22 AM10/17/22

to stho...@redhat.com, Keycloak Dev

... just noticed that the SecurityCheck is the wrong interface - what seems to be used currently is: io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy,

which is enforced by the vertx runtime via io.quarkus.vertx.http.runtime.security.HttpAuthorizer