seeking optimal way of developing JavaScript policies
522 views
Skip to first unread message
yk
May 25, 2022, 3:10:39 AM5/25/22
to Keycloak User
Hello,
I am using keycloak 18 quarkus in a container. I have figured out how to upload scripts into Keycloak using .jar files, they show up in the UI, I can apply them and run the evaluator to test them.
I found docs/screenshots mentioning that one can edit the JS Policies directly in the admin UI, but I do not have these buttons and have not been able to find how to add them. Despite a week of searching through a lot of conflicting tutorials and documentation. I have seen the **upload_scripts** feature mentioned multiple times and it is marked as deprecated. It does not seem to work in Keycloak 18 quarkus, other features get enabled fine but **upload_scripts** is ignored.
So far it seems that the proper way to deploy a JavaScript policy into a Keycloak container is:
- Write the script (pray it works), the metadata file and package it up as a .jar file
- Deploy the container adding the jar during a build step
- Configure Keycloak with a realm, client and attach the policy
- Create any test users and groups
- Run the evaluator to finally test the policy
Doing this process takes a long time. So the slightest code change takes minutes to run and take a lot of manual work to run the verify tool. I automated most of the Admin API configuration but found the Authorization bits to not be documented, so this bit is manual for the moment. Still even when I finally fully automate this, this is a slow and cumbersome process.
1. Does any one know of a better way to do this?
2. Is a log function available in JavaScript Authorization policy context so I can dump variable contents out to inspect them?
- I saw a doc for authentication providers with a LOG function but that fails here.
Thanks,
Y
I am using keycloak 18 quarkus in a container. I have figured out how to upload scripts into Keycloak using .jar files, they show up in the UI, I can apply them and run the evaluator to test them.
I found docs/screenshots mentioning that one can edit the JS Policies directly in the admin UI, but I do not have these buttons and have not been able to find how to add them. Despite a week of searching through a lot of conflicting tutorials and documentation. I have seen the **upload_scripts** feature mentioned multiple times and it is marked as deprecated. It does not seem to work in Keycloak 18 quarkus, other features get enabled fine but **upload_scripts** is ignored.
So far it seems that the proper way to deploy a JavaScript policy into a Keycloak container is:
- Write the script (pray it works), the metadata file and package it up as a .jar file
- Deploy the container adding the jar during a build step
- Configure Keycloak with a realm, client and attach the policy
- Create any test users and groups
- Run the evaluator to finally test the policy
Doing this process takes a long time. So the slightest code change takes minutes to run and take a lot of manual work to run the verify tool. I automated most of the Admin API configuration but found the Authorization bits to not be documented, so this bit is manual for the moment. Still even when I finally fully automate this, this is a slow and cumbersome process.
1. Does any one know of a better way to do this?
- Perhaps using an IDE with code completion? (Please include some basic pointers of how to test the JavaScript Authorization policies specifically. I started looking at the unit tests but have not figured out how to use them for my purpose yet. I have seen the evaluator API also but this is Java and I am not familiar with how the transition works.)
- Is there some faster way to get the script into Keycloak? (A curl call?)
- I saw a doc for authentication providers with a LOG function but that fails here.
Y
yk
May 25, 2022, 3:23:57 PM5/25/22
to Keycloak User
Update:
I was finally able to find the JavaScript policy editor in the admin UI by downgrading to Keycloak Quarkus 17 with identical setup scripts. So it seems like this feature is being removed.
I am still looking for how the JavaScript functionality should be developed especially going in to the future.
Francesco Marino
Aug 31, 2022, 12:10:14 PM8/31/22
to Keycloak User
Hello yk,
did you find a satisfying solution for this?
I totally agree that, with the removal of the possibility of edit JS policies directly in the admin UI, their use will basically become very impractical.
Thomas Darimont
Aug 31, 2022, 3:18:45 PM8/31/22
to Francesco Marino, Keycloak User
Hello,
the Keycloak documentation recommends to use jar files to deploy custom JavaScript based Providers / policies.
Cheers,
Thomas
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/0427b320-fabb-451a-a2af-6e418faa3620n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages