Hello Keycloak Developers,
I just found an easy way to use quarkus route based security authorization [1] feature with Keycloak.
It turns out that the security authorization feature is provided by the quarkus-security module, which is currently missing in keycloak.
In my custom Keycloak server build [2] I just need to include a dependency to quarkus-security (and it's dependency quarkus-mutiny) and then I can protect keycloak routes with simple quarkus configuration [3]
# Protect admin routes
quarkus.http.auth.permission.adminConsole.enabled=false #true
quarkus.http.auth.permission.adminConsole.paths=/auth/admin/*
quarkus.http.auth.permission.adminConsole.policy=deny
# Protect welcome page
quarkus.http.auth.permission.welcomePage.enabled=true
quarkus.http.auth.permission.welcomePage.paths=/auth,/auth/
quarkus.http.auth.permission.welcomePage.policy=deny
I think this could be easily added to the standard keycloak distribution - perhaps with some additional configuration mapping to make those policies configurable via keycloak.conf
Looking forward to your feedback :)
Cheers,
Thomas