The English version of quarkus.io is the official project site. Translated sites are community supported on a best-effort basis.

Using OpenID Connect (OIDC) and Keycloak to centralize authorization

Learn how to enable bearer token authorization in your Quarkus application using Keycloak Authorization Services for secure access to protected resources.

The quarkus-keycloak-authorization extension relies on quarkus-oidc. It includes a policy enforcer that regulates access to secured resources. Access is governed by permissions set in Keycloak. Currently, this extension is compatible solely with Quarkus OIDC service applications.

It provides a flexible and dynamic authorization capability based on Resource-Based Access Control.

Rather than explicitly enforcing access through specific mechanisms such as role-based access control (RBAC), quarkus-keycloak-authorization determines request permissions based on resource attributes such as name, identifier, or Uniform Resource Identifier (URI). This process involves sending a quarkus-oidc-verified bearer access token to Keycloak Authorization Services for an authorization decision.

Use quarkus-keycloak-authorization only if you work with Keycloak and have Keycloak Authorization Services enabled to make authorization decisions. Use quarkus-oidc if you do not work with Keycloak or work with Keycloak but do not have its Keycloak Authorization Services enabled to make authorization decisions.

By shifting authorization responsibilities outside your application, you enhance security through various access control methods while eliminating the need for frequent re-deployments whenever security needs evolve. In this case, Keycloak acts as a centralized authorization hub, managing your protected resources and their corresponding permissions effectively.

For more information, see the OIDC Bearer token authentication guide. It is important to realize that the Bearer token authentication mechanism does the authentication and creates a security identity. Meanwhile, the quarkus-keycloak-authorization extension applies a Keycloak Authorization Policy to this identity based on the current request path and other policy settings.

先决条件

完成这个指南,你需要:

  • 大概15分钟

  • 编辑器

  • JDK 17+ installed with JAVA_HOME configured appropriately

  • Apache Maven 3.9.6

  • A working container runtime (Docker or Podman)

  • 如果你愿意的话,还可以选择使用Quarkus CLI

  • 如果你想构建原生可执行程序,可以选择安装Mandrel或者GraalVM,并正确配置(或者使用Docker在容器中进行构建)

  • jq工具

  • Keycloak

架构

In this example, we build a very simple microservice that offers two endpoints:

  • /api/users/me

  • /api/admin

These endpoints are protected. Access is granted only when a client sends a bearer token with the request. This token must be valid, having a correct signature, expiration date, and audience. Additionally, the microservice must trust the token.

The bearer token is issued by a Keycloak server and represents the subject for which the token was issued. For being an OAuth 2.0 Authorization Server, the token also references the client acting on behalf of the user.

The /api/users/me endpoint can be accessed by any user with a valid token. As a response, it returns a JSON document with details about the user obtained from the information carried on the token. This endpoint is protected with RBAC, and only users granted with the user role can access this endpoint.

The /api/admin endpoint is protected with RBAC, and only users granted the admin role can access it.

This is a very simple example of using RBAC policies to govern access to your resources. However, Keycloak supports other policies that you can use to perform even more fine-grained access control. By using this example, you’ll see that your application is completely decoupled from your authorization policies, with enforcement purely based on the accessed resource.

解决方案

我们建议您按照下一节的说明逐步创建应用程序。然而,您可以直接转到已完成的示例。

克隆 Git 仓库。 git clone https://github.com/quarkusio/quarkus-quickstarts.git ,或者下载一个 存档

The solution is in the security-keycloak-authorization-quickstart directory.

Creating the project

首先,我们需要一个新的工程项目。用以下命令创建一个新项目:

CLI
quarkus create app org.acme:security-keycloak-authorization-quickstart \
    --extension='oidc,keycloak-authorization,resteasy-reactive-jackson' \
    --no-code
cd security-keycloak-authorization-quickstart

创建Grade项目,请添加 --gradle 或者 --gradle-kotlin-dsl 参数。

For more information about how to install and use the Quarkus CLI, see the Quarkus CLI guide.

Maven
mvn io.quarkus.platform:quarkus-maven-plugin:3.8.3:create \
    -DprojectGroupId=org.acme \
    -DprojectArtifactId=security-keycloak-authorization-quickstart \
    -Dextensions='oidc,keycloak-authorization,resteasy-reactive-jackson' \
    -DnoCode
cd security-keycloak-authorization-quickstart

创建Grade项目,请添加 -DbuildTool=gradle 或者 -DbuildTool=gradle-kotlin-dsl 参数。

For Windows users:

  • If using cmd, (don’t use backward slash \ and put everything on the same line)

  • If using Powershell, wrap -D parameters in double quotes e.g. "-DprojectArtifactId=security-keycloak-authorization-quickstart"

This command generates a project, importing the keycloak-authorization extension. This extension implements a Keycloak Adapter for Quarkus applications and provides all the necessary capabilities to integrate with a Keycloak server and perform bearer token authorization.

如果您已经配置了Quarkus项目,您可以通过在项目根目录中执行以下命令将 oidckeycloak-authorization 扩展添加到您的项目中:

CLI
quarkus extension add oidc,keycloak-authorization
Maven
./mvnw quarkus:add-extension -Dextensions='oidc,keycloak-authorization'
Gradle
./gradlew addExtension --extensions='oidc,keycloak-authorization'

This adds the following dependencies to your build file:

pom.xml
<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-oidc</artifactId>
</dependency>
<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-keycloak-authorization</artifactId>
</dependency>
build.gradle
implementation("io.quarkus:quarkus-oidc")
implementation("io.quarkus:quarkus-keycloak-authorization")

Let’s start by implementing the /api/users/me endpoint. As you can see in the following source code, it is a regular Jakarta REST resource:

package org.acme.security.keycloak.authorization;

import jakarta.inject.Inject;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;

import org.jboss.resteasy.reactive.NoCache;

import io.quarkus.security.identity.SecurityIdentity;

@Path("/api/users")
public class UsersResource {

    @Inject
    SecurityIdentity identity;

    @GET
    @Path("/me")
    @NoCache
    public User me() {
        return new User(identity);
    }

    public static class User {

        private final String userName;

        User(SecurityIdentity identity) {
            this.userName = identity.getPrincipal().getName();
        }

        public String getUserName() {
            return userName;
        }
    }
}

/api/admin 节点的源代码也非常简单:

package org.acme.security.keycloak.authorization;

import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.MediaType;

import io.quarkus.security.Authenticated;

@Path("/api/admin")
@Authenticated
public class AdminResource {

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String admin() {
        return "granted";
    }
}

Be aware that we have not defined annotations such as @RolesAllowed to explicitly enforce access to a resource. Instead, the extension is responsible for mapping the URIs of the protected resources in Keycloak and evaluating the permissions accordingly, granting or denying access depending on the permissions granted by Keycloak.

配置应用

The OpenID Connect extension allows you to define the adapter configuration by using the application.properties file, which is usually located in the src/main/resources directory.

# OIDC Configuration
%prod.quarkus.oidc.auth-server-url=https://localhost:8543/realms/quarkus
quarkus.oidc.client-id=backend-service
quarkus.oidc.credentials.secret=secret
quarkus.oidc.tls.verification=none

# Enable Policy Enforcement
quarkus.keycloak.policy-enforcer.enable=true

# Tell Dev Services for Keycloak to import the realm file
# This property is not effective when running the application in JVM or native modes
quarkus.keycloak.devservices.realm-path=quarkus-realm.json
Adding a %prod. profile prefix to quarkus.oidc.auth-server-url ensures that Dev Services for Keycloak launches a container for you when the application is run in dev mode. For more information, see the Running the application in Dev mode section.
By default, applications that use the quarkus-oidc extension are marked as a service type application (see quarkus.oidc.application-type). This extension also supports only web-app type applications but only if the access token returned as part of the authorization code grant response is marked as a source of roles: quarkus.oidc.roles.source=accesstoken (web-app type applications check ID token roles by default).

Starting and configuring the Keycloak server

Do not start the Keycloak server when you run the application in dev mode. Dev Services for Keycloak launches a container. For more information, see the Running the application in Dev mode section.

To start a Keycloak server, use the following Docker command:

docker run --name keycloak -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 8543:8443 -v "$(pwd)"/config/keycloak-keystore.jks:/etc/keycloak-keystore.jks quay.io/keycloak/keycloak:{keycloak.version} start  --hostname-strict=false --https-key-store-file=/etc/keycloak-keystore.jks

where keycloak.version must be 23.0.0 or later and the keycloak-keystore.jks can be found in quarkus-quickstarts/security-keycloak-authorization-quickstart/config.

Try to access your Keycloak server at localhost:8543.

To access the Keycloak Administration Console, log in as the admin user. The username and password are both admin.

Import the realm configuration file to create a new realm. For more details, see the Keycloak documentation about how to create a new realm.

导入realm后,您可以看到资源的权限:

Keycloak Authorization Permissions

这解释了为什么节点没有 @RolesAllowed 注解—​资源访问权限是直接在Keycloak中设置的。

Running the application in dev mode

要在开发模式下运行应用程序,请使用:

CLI
quarkus dev
Maven
./mvnw quarkus:dev
Gradle
./gradlew --console=plain quarkusDev

Dev Services for Keycloak launches a Keycloak container and imports a quarkus-realm.json.

Open a Dev UI available at /q/dev-ui and click a Provider: Keycloak link in an OpenID Connect Dev UI card.

When asked to log in to a Single Page Application provided by OpenID Connect Dev UI:

  • Log in as alice (password: alice), who only has a User Permission to access the /api/users/me resource:

    • Access /api/admin, which returns 403.

    • Access /api/users/me, which returns 200.

  • Log out and log in as admin (password: admin), who has both Admin Permission to access the /api/admin resource and User Permission to access the /api/users/me resource:

    • Access /api/admin, which returns 200.

    • Access /api/users/me, which returns 200.

If you have started Dev Services for Keycloak without importing a realm file such as quarkus-realm.json that is already configured to support Keycloak Authorization, create a default quarkus realm without Keycloak authorization policies. In this case, you must select the Keycloak Admin link in the OpenId Connect Dev UI card and configure Keycloak Authorization Services in the default quarkus realm.

The Keycloak Admin link is easy to find in Dev UI:

Dev UI OpenID Connect Card

When logging into the Keycloak admin console, the username and password are both admin.

If your application uses Keycloak authorization configured with JavaScript policies that are deployed in a JAR file, you can set up Dev Services for Keycloak to transfer this archive to the Keycloak container. For instance:

quarkus.keycloak.devservices.resource-aliases.policies=/policies.jar (1)
quarkus.keycloak.devservices.resource-mappings.policies=/opt/keycloak/providers/policies.jar (2)
1 policies alias is created for the /policies.jar classpath resource. Policy archive can also be located in the file system.
2 The policies archive is mapped to the /opt/keycloak/providers/policies.jar container location.

Running the application in JVM mode

After exploring the application in dev mode, you can run it as a standard Java application.

首先编译它:

CLI
quarkus build
Maven
./mvnw install
Gradle
./gradlew build

然后运行它:

java -jar target/quarkus-app/quarkus-run.jar

Running the application in native mode

This same demo can be compiled into native code; no modifications are required.

This implies that you no longer need to install a JVM on your production environment because the runtime technology is included in the produced binary and optimized to run with minimal resources.

Compilation takes a bit longer, so this step is turned off by default; let’s build again by enabling the native profile:

CLI
quarkus build --native
Maven
./mvnw install -Dnative
Gradle
./gradlew build -Dquarkus.package.type=native

After a while, you can run this binary directly:

./target/security-keycloak-authorization-quickstart-runner

Testing the application

See the preceding Running the application in Dev mode section about testing your application in a dev mode.

You can test the application launched in JVM or native modes with curl.

The application uses bearer token authorization, and the first thing to do is obtain an access token from the Keycloak server to access the application resources:

export access_token=$(\
    curl --insecure -X POST https://localhost:8543/realms/quarkus/protocol/openid-connect/token \
    --user backend-service:secret \
    -H 'content-type: application/x-www-form-urlencoded' \
    -d 'username=alice&password=alice&grant_type=password' | jq --raw-output '.access_token' \
 )

The preceding example obtains an access token for user alice.

Any user is allowed to access the http://localhost:8080/api/users/me endpoint, which returns a JSON payload with details about the user.

curl -v -X GET \
  http://localhost:8080/api/users/me \
  -H "Authorization: Bearer "$access_token

The http://localhost:8080/api/admin endpoint can only be accessed by users with the admin role. If you try to access this endpoint with the previously issued access token, you get a 403 response from the server.

 curl -v -X GET \
   http://localhost:8080/api/admin \
   -H "Authorization: Bearer "$access_token

To access the admin endpoint, get a token for the admin user:

export access_token=$(\
    curl --insecure -X POST https://localhost:8543/realms/quarkus/protocol/openid-connect/token \
    --user backend-service:secret \
    -H 'content-type: application/x-www-form-urlencoded' \
    -d 'username=admin&password=admin&grant_type=password' | jq --raw-output '.access_token' \
 )

Injecting the authorization client

In some cases, using the Keycloak Authorization Client Java API is beneficial for tasks such as managing resources and obtaining permissions directly from Keycloak. For this purpose, you can inject an AuthzClient instance into your beans as follows:

public class ProtectedResource {
    @Inject
    AuthzClient authzClient;
}
If you want to use the AuthzClient directly, set quarkus.keycloak.policy-enforcer.enable=true; otherwise, no bean is available for injection.

Mapping protected resources

By default, the extension fetches resources on-demand from Keycloak, using their URI to identify and map the resources in your application that need to be protected.

To disable this on-demand fetching and instead pre-load resources at startup, apply the following configuration setting:

quarkus.keycloak.policy-enforcer.lazy-load-paths=false

The time required to pre-load resources from Keycloak at startup varies based on their quantity, potentially affecting your application’s initial load time."

More about configuring protected resources

In the default configuration, Keycloak manages the roles and decides who can access which routes.

To configure the protected routes by using the @RolesAllowed annotation or the application.properties file, check the OpenID Connect (OIDC) Bearer token authentication and Authorization of web endpoints guides. For more details, check the Quarkus Security overview.

Access to public resources

To enable access to a public resource without the quarkus-keycloak-authorization applying its policies, create a permit HTTP Policy configuration in application.properties. For more information, see the Authorization of web endpoints guide.

There’s no need to deactivate policy checks for a Keycloak Authorization Policy with settings such as these:

quarkus.keycloak.policy-enforcer.paths.1.path=/api/public
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=DISABLED

To block access to the public resource to anonymous users, you can create an enforcing Keycloak Authorization Policy:

quarkus.keycloak.policy-enforcer.paths.1.path=/api/public-enforcing
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=ENFORCING

Only the default tenant configuration applies when controlling anonymous access to the public resource is required.

Checking permission scopes programmatically

In addition to resource permissions, you can specify method scopes. The scope usually represents an action that can be performed on a resource. You can create an enforcing Keycloak Authorization Policy with a method scope. For example:

# path policy with enforced scope 'read' for method 'GET'
quarkus.keycloak.policy-enforcer.paths.1.name=Scope Permission Resource
quarkus.keycloak.policy-enforcer.paths.1.path=/api/protected/standard-way
quarkus.keycloak.policy-enforcer.paths.1.methods.get.method=GET
quarkus.keycloak.policy-enforcer.paths.1.methods.get.scopes=read (1)

# path policies without scope
quarkus.keycloak.policy-enforcer.paths.2.name=Scope Permission Resource
quarkus.keycloak.policy-enforcer.paths.2.path=/api/protected/programmatic-way
quarkus.keycloak.policy-enforcer.paths.3.name=Scope Permission Resource
quarkus.keycloak.policy-enforcer.paths.3.path=/api/protected/annotation-way
1 User must have resource permission 'Scope Permission Resource' and scope 'read'

The Keycloak Policy Enforcer now secures the /api/protected/standard-way request path, eliminating the need for additional annotations such as @RolesAllowed. However, in certain scenarios, a programmatic check is necessary. You can achieve this by injecting a SecurityIdentity instance into your beans, as shown in the following example. Or, you can get the same result by annotating the resource method with @PermissionsAllowed. The following example demonstrates three resource methods, each requiring the same read scope:

import java.security.BasicPermission;
import java.util.List;

import jakarta.inject.Inject;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;

import org.keycloak.representations.idm.authorization.Permission;

import io.quarkus.security.PermissionsAllowed;
import io.quarkus.security.identity.SecurityIdentity;
import io.smallrye.mutiny.Uni;

@Path("/api/protected")
public class ProtectedResource {

    @Inject
    SecurityIdentity identity;

    @GET
    @Path("/standard-way")
    public Uni<List<Permission>> standardWay() { (1)
        return Uni.createFrom().item(identity.<List<Permission>> getAttribute("permissions"));
    }

    @GET
    @Path("/programmatic-way")
    public Uni<List<Permission>> programmaticWay() {
        var requiredPermission = new BasicPermission("Scope Permission Resource") {
            @Override
            public String getActions() {
                return "read";
            }
        };
        return identity.checkPermission(requiredPermission).onItem() (2)
                .transform(granted -> {
                    if (granted) {
                        return identity.getAttribute("permissions");
                    }
                    throw new ForbiddenException();
                });
    }

    @PermissionsAllowed("Scope Permission Resource:read") (3)
    @GET
    @Path("/annotation-way")
    public Uni<List<Permission>> annotationWay() {
        return Uni.createFrom().item(identity.<List<Permission>> getAttribute("permissions"));
    }
}
1 Request sub-path /standard-way requires both resource permission and scope read according to the configuration properties we previously set in the application.properties.
2 Request sub-path /programmatic-way only requires permission Scope Permission Resource, but we can enforce scope with SecurityIdentity#checkPermission.
3 The @PermissionsAllowed annotation only grants access to the requests with permission Scope Permission Resource and scope read. For more information, see the section Authorization using annotations of the Security Authorization guide.

多租户

You can set up policy enforcer configurations for each tenant, similar to how it is done with OpenID Connect (OIDC) multi-tenancy.

例如:

quarkus.keycloak.policy-enforcer.enable=true

# Default Tenant
quarkus.oidc.auth-server-url=${keycloak.url}/realms/quarkus
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.secret=secret

quarkus.keycloak.policy-enforcer.enforcement-mode=PERMISSIVE
quarkus.keycloak.policy-enforcer.paths.1.name=Permission Resource
quarkus.keycloak.policy-enforcer.paths.1.path=/api/permission
quarkus.keycloak.policy-enforcer.paths.1.claim-information-point.claims.static-claim=static-claim

# Service Tenant

quarkus.oidc.service-tenant.auth-server-url=${keycloak.url}/realms/quarkus
quarkus.oidc.service-tenant.client-id=quarkus-app
quarkus.oidc.service-tenant.credentials.secret=secret

quarkus.keycloak.service-tenant.policy-enforcer.enforcement-mode=PERMISSIVE
quarkus.keycloak.service-tenant.policy-enforcer.paths.1.name=Permission Resource Service
quarkus.keycloak.service-tenant.policy-enforcer.paths.1.path=/api/permission
quarkus.keycloak.service-tenant.policy-enforcer.paths.1.claim-information-point.claims.static-claim=static-claim


# WebApp Tenant

quarkus.oidc.webapp-tenant.auth-server-url=${keycloak.url}/realms/quarkus
quarkus.oidc.webapp-tenant.client-id=quarkus-app
quarkus.oidc.webapp-tenant.credentials.secret=secret
quarkus.oidc.webapp-tenant.application-type=web-app
quarkus.oidc.webapp-tenant.roles.source=accesstoken

quarkus.keycloak.webapp-tenant.policy-enforcer.enforcement-mode=PERMISSIVE
quarkus.keycloak.webapp-tenant.policy-enforcer.paths.1.name=Permission Resource WebApp
quarkus.keycloak.webapp-tenant.policy-enforcer.paths.1.path=/api/permission
quarkus.keycloak.webapp-tenant.policy-enforcer.paths.1.claim-information-point.claims.static-claim=static-claim

Configuration reference

This configuration adheres to the official [Keycloak Policy Enforcer Configuration](https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_filter) guidelines. For detailed insights into various configuration options, see the following documentation:

Configuration property fixed at build time - All other configuration properties are overridable at runtime

Configuration property

类型

默认

Adapters will make separate HTTP invocations to the Keycloak server to turn an access code into an access token. This config option defines how many connections to the Keycloak server should be pooled

Environment variable: QUARKUS_KEYCLOAK_CONNECTION_POOL_SIZE

Show more

int

20

Specifies how policies are enforced.

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_ENFORCEMENT_MODE

Show more

permissive, enforcing, disabled

enforcing

Defines the limit of entries that should be kept in the cache

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_PATH_CACHE_MAX_ENTRIES

Show more

int

1000

Defines the time in milliseconds when the entry should be expired

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_PATH_CACHE_LIFESPAN

Show more

long

30000

Specifies how the adapter should fetch the server for resources associated with paths in your application. If true, the policy enforcer is going to fetch resources on-demand accordingly with the path being requested

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_LAZY_LOAD_PATHS

Show more

boolean

true

Specifies how scopes should be mapped to HTTP methods. If set to true, the policy enforcer will use the HTTP method from the current request to check whether access should be granted

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_HTTP_METHOD_AS_SCOPE

Show more

boolean

false

The name of a resource on the server that is to be associated with a given path

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_PATHS__PATHS__NAME

Show more

string

A URI relative to the application’s context path that should be protected by the policy enforcer

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_PATHS__PATHS__PATH

Show more

string

The name of the HTTP method

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_PATHS__PATHS__METHODS__METHODS__METHOD

Show more

string

required

An array of strings with the scopes associated with the method

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_PATHS__PATHS__METHODS__METHODS__SCOPES

Show more

list of string

required

A string referencing the enforcement mode for the scopes associated with a method

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_PATHS__PATHS__METHODS__METHODS__SCOPES_ENFORCEMENT_MODE

Show more

all, any, disabled

all

Specifies how policies are enforced

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_PATHS__PATHS__ENFORCEMENT_MODE

Show more

permissive, enforcing, disabled

enforcing

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_PATHS__PATHS__CLAIM_INFORMATION_POINT

Map<String,Map<String,Map<String,String>>>

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_PATHS__PATHS__CLAIM_INFORMATION_POINT

Map<String,Map<String,String>>

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_CLAIM_INFORMATION_POINT

Map<String,Map<String,Map<String,String>>>

Environment variable: QUARKUS_KEYCLOAK_POLICY_ENFORCER_CLAIM_INFORMATION_POINT

Map<String,Map<String,String>>

Additional named tenants

类型

默认

Adapters will make separate HTTP invocations to the Keycloak server to turn an access code into an access token. This config option defines how many connections to the Keycloak server should be pooled

Environment variable: QUARKUS_KEYCLOAK__TENANT__CONNECTION_POOL_SIZE

Show more

int

20

Specifies how policies are enforced.

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_ENFORCEMENT_MODE

Show more

permissive, enforcing, disabled

enforcing

The name of a resource on the server that is to be associated with a given path

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_PATHS__PATHS__NAME

Show more

string

A URI relative to the application’s context path that should be protected by the policy enforcer

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_PATHS__PATHS__PATH

Show more

string

The name of the HTTP method

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_PATHS__PATHS__METHODS__METHODS__METHOD

Show more

string

required

An array of strings with the scopes associated with the method

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_PATHS__PATHS__METHODS__METHODS__SCOPES

Show more

list of string

required

A string referencing the enforcement mode for the scopes associated with a method

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_PATHS__PATHS__METHODS__METHODS__SCOPES_ENFORCEMENT_MODE

Show more

all, any, disabled

all

Specifies how policies are enforced

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_PATHS__PATHS__ENFORCEMENT_MODE

Show more

permissive, enforcing, disabled

enforcing

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_PATHS__PATHS__CLAIM_INFORMATION_POINT

Map<String,Map<String,Map<String,String>>>

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_PATHS__PATHS__CLAIM_INFORMATION_POINT

Map<String,Map<String,String>>

Defines the limit of entries that should be kept in the cache

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_PATH_CACHE_MAX_ENTRIES

Show more

int

1000

Defines the time in milliseconds when the entry should be expired

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_PATH_CACHE_LIFESPAN

Show more

long

30000

Specifies how the adapter should fetch the server for resources associated with paths in your application. If true, the policy enforcer is going to fetch resources on-demand accordingly with the path being requested

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_LAZY_LOAD_PATHS

Show more

boolean

true

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_CLAIM_INFORMATION_POINT

Map<String,Map<String,Map<String,String>>>

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_CLAIM_INFORMATION_POINT

Map<String,Map<String,String>>

Specifies how scopes should be mapped to HTTP methods. If set to true, the policy enforcer will use the HTTP method from the current request to check whether access should be granted

Environment variable: QUARKUS_KEYCLOAK__TENANT__POLICY_ENFORCER_HTTP_METHOD_AS_SCOPE

Show more

boolean

false

Related content