help request: cannot restrict roles to access apisix routes with keycloak.

[sy-yan]

Description

I want to allow user who has Designated keycloak role to access apisix-dashboard.
And I have read a blog
https://apisix.apache.org/blog/2023/01/02/accessing_apisix-dashboard_from_everywhere_with_keycloak_authentication/
as guide.
But it seems that the "openid-connect" just allow all keycloak users without restricting roles.
So I wonder if apisix has a way to resolve.

keycloak 15 might allow rolePolicy, but my keycloak server is in version 6.0.

Environment

• APISIX version (run apisix version):3.2.0
• APISIX Dashboard version, if relevant:3.0.0-alpine

[kayx23]

This plugin seems to offer more capabilities with authorization: https://apisix.apache.org/docs/apisix/plugins/authz-keycloak/

[sy-yan]

This plugin offers more capabilities with authorization: https://apisix.apache.org/docs/apisix/plugins/authz-keycloak/

I had seen this plugin too. But I don't know how to configure.
When user access my route , I want that only the user who has "admin" role could access.
Could you provide an example for me ? Thanks a lot.

[monkeyDluffy6017]

@sy-yan have you solved your problem?

[kayx23]

I want to allow user who has Designated keycloak role to access apisix-dashboard.
keycloak 15 might allow rolePolicy, but my keycloak server is in version 6.0.
When user access my route, I want that only the user who has "admin" role could access.

I'm using keycloak v18.x.x so it's hard to tell what goes on in v6.0. Are you positive policy isn't supported? Could you show us your keycloak v6.0 interface?

[kayx23]

@sy-yan Hi - following up to see if this issue is still active? From my understanding, you would enable Authorization for the client and configure role and policy (for RBAC) to a resource.

I tested with keycloak v18 and used authz-keycloak plugin to protect an arbitrary upstream (only clients with role admin can access) and it was working as intended. Most of the configurations would be done on the keycloak side though.

Unfortunately cannot advise on keycloak 6.0

[kayx23]

it seems that the "openid-connect" just allow all keycloak users without restricting roles.

As for openid-connect, I played around but also wasn't able to make RBAC works. This might be of interest for you: zmartzone/lua-resty-openidc#222

Alternative to role-based access control, you could implement scope-based access control with required_scope: #10493

[github-actions]

Due to lack of the reporter's response this issue has been labeled with "no response". It will be close in 3 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.

[github-actions]

This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.