kayx23 commented on issue #9256: URL: https://github.com/apache/apisix/issues/9256#issuecomment-1872404571
> I would like to obtain the exact opposite behavior and manage a browser login guided by this specific plugin that also support the PEP policy. > > It is not clear to me from the plugin documentation if and how it is possible to achieve this result. I just tried to implement RBAC in keycloak and use it with `openid-connect` plugin but it didn't work out. I suspect it is not supported currently and found a related conversation here: https://github.com/zmartzone/lua-resty-openidc/issues/222 Here's how I set up keycloak: * create realm, client, and user * enable Authorization in the client * create a realm role called `admin` * create a resource and configure it with the URI I want to protect (same as the route URI) under Authorization * create a role-based policy that requires the previously created realm role `admin` * create a resource-based permission that maps the policy to the resource * map the realm role `admin` to the user So if user doesn't have the realm role `admin`, one could expect the access to be denied. In my testing, the request still went through even when the user doesn't have the realm role `admin`. I'm just documenting what I have attempted here for future reference. As an alternative, we could perhaps leverage scope-based access control with `required_scope`: https://github.com/apache/apisix/pull/10493 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
