elytron-oidc-client and roles

[Joshua Tolley]

My application authenticates successfully with elytron-oidc-client, but I'd like to ignore the roles coming from OIDC, and instead have the application look up the user credential in its own database and refer to the roles stored there. This will allow our users to continue managing user permissions within the application, in an interface they're accustomed to. But I don't know how to do it. A role mapper, perhaps? An event listener? Wildfly's documentation says elytron-oidc-client uses a "virtual security domain", so I'm not sure where I'd put the role mapper, or event listener, or whatever, to make it work. Suggestions are welcome; thanks in advance.

... Josh

[Joshua Tolley]

On Wednesday, July 6, 2022 at 11:36:09 AM UTC-5 Joshua Tolley wrote:

My application authenticates successfully with elytron-oidc-client, but I'd like to ignore the roles coming from OIDC, and instead have the application look up the user credential in its own database and refer to the roles stored there. This will allow our users to continue managing user permissions within the application, in an interface they're accustomed to. But I don't know how to do it. A role mapper, perhaps? An event listener? Wildfly's documentation says elytron-oidc-client uses a "virtual security domain", so I'm not sure where I'd put the role mapper, or event listener, or whatever, to make it work. Suggestions are welcome; thanks in advance.

... Josh

It seems possible I can use the Keycloak adapter instead of elytron-oidc-client, and attach a role decoder to the KeycloakDomain it creates. Perhaps I could do the same using elytron-oidc-client, but I didn't find the way yet.

[Joshua Tolley]

It seems possible I can use the Keycloak adapter instead of elytron-oidc-client, and attach a role decoder to the KeycloakDomain it creates. Perhaps I could do the same using elytron-oidc-client, but I didn't find the way yet.

I guess not. Now that I've got a basic role decoder running and have begun examining the AuthorizationIdentity object it's provided, I see that it only gets the user's roles, not the username or other identifier, so I can't use it to look up the roles in the database. Back to the drawing board...

[Farah Juma]

OpenID Connect is meant to be used for authentication purposes, authorization isn't part of the spec. The elytron-oidc-client subsystem makes use of a virtual security domain so it's not currently possible to configure an additional role decoder. However, it is possible to make use of any roles from the access token.

[Joshua Tolley]

On Thu, Jul 7, 2022, 09:15 Farah Juma <fj...@redhat.com> wrote:

OpenID Connect is meant to be used for authentication purposes, authorization isn't part of the spec. The elytron-oidc-client subsystem makes use of a virtual security domain so it's not currently possible to configure an additional role decoder. However, it is possible to make use of any roles from the access token.

Thanks for your response. What I'd like is to ignore any roles coming from the access token or anywhere else in the OIDC process, and fetch the roles from a database instead, after authentication completes. I can write an object to do that, but I don't know where to put the code for it, so that it will run after authentication.

[Joshua Tolley]

On Thursday, July 7, 2022 at 9:21:56 AM UTC-5 Joshua Tolley wrote:

 What I'd like is to ignore any roles coming from the access token or anywhere else in the OIDC process, and fetch the roles from a database instead, after authentication completes. I can write an object to do that, but I don't know where to put the code for it, so that it will run after authentication.

More experimentation, more failures. As expected, with the elytron-oidc-client I can't configure the security realm, or role mappers, or any other elytron components, because of the virtual security domain it uses. I tried using the Keycloak adapter as well. I created a JDBC realm to load attributes for a security identity, made a new aggregate realm using KeycloakOIDCRealm for its authentication realm, and both KeycloakOIDCRealm and my new JDBC realm as authorization realms. I used this aggregate realm in the KEYCLOAK mechanism in the keycloak-http-authentication factory, and as the target of the keycloak-oidc-realm-mapper, and now I get "User does not exist" errors all the time. I don't see any evidence that the query in my JDBC realm are ever being run, so I'm confident it's not a problem with that realm. I don't really have any idea what to do next.

[Joshua Tolley]

One option seems to be to write a UserFederatedStorageProvider, so that once Keycloak authenticates a user, it can look up the roles from my application's database, but that seems like a lot of extra work, and I would certainly prefer not to have to link Keycloak to my application database.

[Joshua Tolley]

I've probably brought up too many topics that are outside the scope of this group, and I apologize; I'll contain my conversation better in the future.

If OpenID Connect isn't used for authorization, I guess I need to write my own code to handle looking up user roles. That's fine; but can someone tell me where I should plug it in? I can't find a suitable place. Thanks.

-- Josh