idci-consulting / idcikeycloaksecuritybundle Goto Github PK

View Code? Open in Web Editor NEW

43.0 6.0 43.0 4.4 MB

License: Other

PHP 94.93% Makefile 3.56% Dockerfile 1.51%

idcikeycloaksecuritybundle's Introduction

IDCI Keycloak Security Bundle

This Symfony bundle is an alternative solution to FOSUserBundle, working with keycloak.

For symfony 2/3/4 use version 1.2.0 For symfony 5+ use version 2.0.0 or +

Installation

With composer:

$ composer require idci/keycloak-security-bundle

Configuration

If you want to set up keycloak locally you can download it here and follow instructions from the official documentation. In case that you want to use keycloak in docker go directly to configuration for Docker.

Bundle configuration

Basic

In case of you already have keycloak running locally on your machine or is running remotely but without proxy, here is the default configuration you should use:

# config/packages/idci_keycloak_security.yaml
idci_keycloak_security:
    server_url: '%env(resolve:KEYCLOAK_SERVER_BASE_URL)%'
    server_public_url: '%env(resolve:KEYCLOAK_SERVER_PUBLIC_BASE_URL)%'
    server_private_url: '%env(resolve:KEYCLOAK_SERVER_PRIVATE_BASE_URL)%'
    realm: '%env(resolve:KEYCLOAK_REALM)%'
    client_id: '%env(resolve:KEYCLOAK_CLIENT_ID)%'
    client_secret: '%env(resolve:KEYCLOAK_CLIENT_SECRET)%'
    default_target_route_name: 'app_home'
    ssl_verification: true

Docker

If you want to use keycloak in docker you can base your stack on this sample.

Here is a stack example configuration for docker swarm:

# config/packages/idci_keycloak_security.yaml
idci_keycloak_security:
    server_public_url: 'http://keycloak.docker' # your keycloak url accessible via your navigator
    server_private_url: 'http://keycloak:8080' # your keycloak container reference in the network
    realm: 'MyRealm'
    client_id: 'my-client'
    client_secret: '21d4cc5c-9ed6-4bf8-8528-6d659b66f216'
    default_target_route_name: 'home' # The route you will be redirected to after sign in

Make sure that your php container in the container is attached to a network with keycloak, otherwise it will not be able to resolve "http://keycloak:8080/auth" and the public_server_url must be accessible through the port 80 because keycloak verify the issuer.

NOTE: The keycloak api endpoint as change, so if you used an old version, add the /auth to you url:

idci_keycloak_security:
    server_public_url: 'http://keycloak.docker/auth'
    server_private_url: 'http://keycloak:8080/auth'

Route configuration

Create a new file in config/routes/ to load pre configured bundle routes.

# config/routes/idci_keycloak_security.yaml
IDCIKeycloakSecurityBundle:
    resource: "@IDCIKeycloakSecurityBundle/Resources/config/routing.yaml"
    prefix: /

This will add the following routes to your application:

idci_keycloak_security_auth_connect       => /auth/connect/keycloak
idci_keycloak_security_auth_connect_check => /auth/connect-check/keycloak
idci_keycloak_security_auth_logout        => /auth/logout
idci_keycloak_security_auth_account       => /auth/account

Symfony security configuration

To link keycloak with symfony you must configure your application security file.

Here is a simple configuration that restrict access to /* routes only to user with roles "ROLE_USER" or "ROLE_ADMIN" :

# config/packages/security.yaml
imports:
    # Import Keycloak security providers
    - { resource: '@IDCIKeycloakSecurityBundle/Resources/config/security.yaml' }

security:

    enable_authenticator_manager: true
    firewalls:

        # This route create the OAuth 2 "User Authorization Request" and must be accessible for unauthenticated users
        auth_connect:
            pattern: /auth/connect/keycloak
            security: false

        # Here is an example to protect your application (API) using OAuth 2 Client Credentials Flow (JWT with Bearer token authentication)
        api:
            pattern: ^/api
            provider: idci_keycloak_bearer_security_provider
            entry_point: IDCI\Bundle\KeycloakSecurityBundle\Security\EntryPoint\BearerAuthenticationEntryPoint
            custom_authenticators:
                - IDCI\Bundle\KeycloakSecurityBundle\Security\Authenticator\KeycloakBearerAuthenticator

        # Here is an example to protect your application (UI) using OAuth 2 Authorization Code Flow
        secured_area:
            pattern: ^/
            provider: idci_keycloak_security_provider
            entry_point: IDCI\Bundle\KeycloakSecurityBundle\Security\EntryPoint\AuthenticationEntryPoint
            custom_authenticators:
                - IDCI\Bundle\KeycloakSecurityBundle\Security\Authenticator\KeycloakAuthenticator
            logout:
                path: idci_keycloak_security_auth_logout

    role_hierarchy:
        ROLE_ADMIN: ROLE_USER

    access_control:
        # This following ROLES must be configured in your Keycloak client
        - { path: ^/admin, roles: ROLE_ADMIN }
        - { path: ^/api, roles: ROLE_API }

Note: If you wish to secure your application using OAuth 2 Authorization Code Flow for route starting with /admin, you will have to put the provided bundle routes behind the firewall, so here is an example on how to do this:

    ...

        secured_area:
            pattern: ^/(admin|auth)
            provider: idci_keycloak_security_provider
            entry_point: IDCI\Bundle\KeycloakSecurityBundle\Security\EntryPoint\AuthenticationEntryPoint
            custom_authenticators:
                - IDCI\Bundle\KeycloakSecurityBundle\Security\Authenticator\KeycloakAuthenticator
            logout:
                path: idci_keycloak_security_auth_logout

    ...

Keycloak configuration

If you need help to use keycloak because it is the first time you work on it, we've made a little tutorial step by step describing a basic configuration of a keycloak realm:

Logout

To logout users, use the route 'idci_keycloak_security_auth_logout':

<a href="{{ url('idci_keycloak_security_auth_logout') }}">Logout</a>

Keycloak user account space

If you wants to provide a link to access keycloak user account space, use the route 'idci_keycloak_security_auth_account':

<a href="{{ url('idci_keycloak_security_auth_account') }}">Account</a>

idcikeycloaksecuritybundle's People

Contributors

Stargazers

Watchers

idcikeycloaksecuritybundle's Issues

Access without form authentication

The login form is not presented and the route is accessed without authentication.
I'm using symfony 4.4 and docker quay.io/keycloak/keycloak:14.0.0

Details:

idci_keycloak_security:
server_public_url: 'http://localhost:8080/auth' # your keycloak url accessible via your navigator
server_private_url: 'http://localhost:8080/auth' # your keycloak container reference in the network
realm: 'Test'
client_id: 'user'
client_secret: 'secret'
default_target_path: 'index' # The route name you will be redirected to after sign in

secured_area:
pattern: ^/dashboard
guard:
provider: idci_keycloak_security_provider
authenticators:
- IDCI\Bundle\KeycloakSecurityBundle\Security\Authenticator\KeycloakAuthenticator

Unable to use the bundle with Symfony security

In my security.yaml I am having below entry

    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        in_memory: { memory: ~ }
    firewalls:
        statesapi:
            pattern: ^/states/
            guard:
                provider: idci_keycloak_bearer_security_provider
                authenticators:
                    - IDCI\Bundle\KeycloakSecurityBundle\Security\Authenticator\KeycloakBearerAuthenticator

However this throws me below error

Argument 5 passed to Symfony\Component\Security\Http\Firewall\ExceptionListener::__construct() must implement interface Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface or be null, instance of IDCI\Bundle\KeycloakSecurityBundle\Security\Authenticator\KeycloakBearerAuthenticator given, called in C:\EF\abc-gateway\symfony\var\cache\dev\ContainerHVUqm4t\getSecurity_Firewall_Map_Context_StatesapiService.php on line 24

Installation with composer KO

I started a blank new Symfony 4.3 project to test an implementation of keycloak with this bundle.

But I don't get what I need to do in order to make it working,
I got an error as I run composer require idci/keycloak-security-bundle

Symfony 7 Ready

Hello Team,

Thanks for this great project. I use it in some projects but now we start a new project with Symfony 7 and unfortunentally the bundle is not compatible with Symfony7. Is it planned to migrate it to S7?

Is it possible to retrive a App\Entity\User

Hello,

I've successfully implemented the bundle, but I couldn't get any relations of my App\Entity\User. Is there a way to retrieve this?

I've tried with a UserProvider, but something doesn't work properly, I guess...

Thanks for your help.

Problem with composer

Hello

Get this problem with composer require idci/keycloak-security-bundle:

Problem 1
- Installation request for idci/keycloak-security-bundle ^1.0 -> satisfiable by idci/keycloak-security-bundle[1.0].
- idci/keycloak-security-bundle 1.0 requires symfony/dependency-injection ^3.3 || ^4.0 -> no matching package found.

Thanks

Deprecated code - Optional parameters declared before required parameters

I get the following warnings when running composer install with Symfony 5.4.9 and PHP 8.1.4

Deprecated: Optional parameter $email declared before required parameter $accountUrl is implicitly treated as a required parameter in /var/www/vendor/idci/keycloak-security-bundle/Security/User/KeycloakUser.php on line 50

Deprecated: Optional parameter $displayName declared before required parameter $accountUrl is implicitly treated as a required parameter in /var/www/vendor/idci/keycloak-security-bundle/Security/User/KeycloakUser.php on line 50

Deprecated: Optional parameter $firstName declared before required parameter $accountUrl is implicitly treated as a required parameter in /var/www/vendor/idci/keycloak-security-bundle/Security/User/KeycloakUser.php on line 50

Deprecated: Optional parameter $lastName declared before required parameter $accountUrl is implicitly treated as a required parameter in /var/www/vendor/idci/keycloak-security-bundle/Security/User/KeycloakUser.php on line 50

Broken link in documentation

The link leading to more information about user exports is currently a 404. I couldn't find the actual page, hence no PR.

Anyway, thanks for providing this bundle! It's awesome!

Unrecognized options "provider_class, provider_options" under "knpu_oauth2_ !! client/clients/keycloak".

checked out copy of base symfony-docker
rolled back symfony version to 6.4 and tried to install this package results in this error as soon as keycloak client config is added to knpu_oauth2_client.yaml

Unrecognized options "provider_class, provider_options" under "knpu_oauth2_
!! client/clients/keycloak". Available options are "auth_server_url", "client_
!! id", "client_secret", "encryption_algorithm", "encryption_key", "encryption
!! _key_path", "realm", "redirect_params", "redirect_route", "use_state", "ver
!! sion".

relevant version from composer.json

    "idci/keycloak-security-bundle": "*",
    "knpuniversity/oauth2-client-bundle": "^2.18",
    "stevenmaguire/oauth2-keycloak": "^5.1",

the issue appears to stem from whats happening in IDCIKeycloakSecurityExtension.generateKeycloakAuthConfiguration

Authorization doesn't work for me, why?

Hello, I tried to install the bundle according to your instructions and to configure the Keycloak accordingly keycloak-help-guide.

When I open my protected route (e.g http://localhost/admin/edit) I am redirected to the keycloak login form as expected.

After the successful login, I am redirected back to the route "app_home", defined in the file idci_keycloak_security.yaml (default_target_path)

After that I still see "Authenticated NO" in the symfony profiler panel. When I try to access the route again (http://localhost/admin/edit) I am immediately forwarded to "app_home".

Local environment with Docker

Nginx: nginx:stable-alpine
PHP: FROM php:7.4-fpm
Symfony 4.4.29
IDCI Keycloak Security Bundle: v1.1.0
Keycloak: FROM jboss/keycloak:15.0.0

What is wrong?
Please help!

Symfony 6.2+ - AbstractGuardAuthenticator

I've the following error from /vendor/idci/keycloak-security-bundle/Security/Authenticator/KeycloakBearerAuthenticator.php (line 15)

Attempted to load class "AbstractGuardAuthenticator" from namespace "Symfony\Component\Security\Guard".    
Did you forget a "use" statement for another namespace?

Supporting Symfony 6

It looks like Symfony 6 is not supported. I've tested and encountered a lot of issues. It looks like the security bundle had a lot of changes.

Supporting Symfony 5

Hello !

I wanted to integrate IDCIKeycloakSecurityBundle in my Symfony 5 but I ran into several problems. The main problem is that the KeycloakUserProvider::loadUserByUsername is invalid with the new ProviderInterface::loadUserByUsername signature introduce in Symfony 5.

To solve this issue, I don"t rely on the userProvider in the method KeycloakAuthenticator::getUser.
Instead, I use this piece of code:

public function getUser($accessToken, UserProviderInterface $userProvider)
    {
        $keycloakClient = $this->getClient();
        $keycloakUser   = $keycloakClient->fetchUserFromToken($accessToken);

        $keycloakUserRawResponse = $keycloakUser->toArray();

        $user = new KeycloakUser(/** params... */);
        return $user;
    }

Obviously this piece of code contains business specific code.

I thought the new Interface was breaking the bundle but actually the implementation should change a bit. I started a discussion on the symfony project about this.

GPL v3

Hi,

am I seeing that correctly, that this bundle is licensed under the GPL v3? This would force me to open source our application when I use this bundle and hence I can't use it.

Authorization not working properly

loadUserByUsername() function in class IDCI\Bundle\KeycloakSecurityBundle\Security\User\KeycloakBearerUserProvider is forcing user to have access to resource with client id name which totally seems to be incorrect.

        if (!$jwt['active'] || !isset($jwt['resource_access'][$provider->getClientId()])) {
            return null;
        }

Example:
Response from my introspection URL is

    "realm_access": {
        "roles": [
            "uma_authorization"
        ]
    },
    "resource_access": {
        "pim-api-dev": {
            "roles": [
                "pim-user"
            ]
        },
        "account": {
            "roles": [
                "manage-account",
                "manage-account-links",
                "view-profile"
            ]
        }
    },
    "clientId": "flprint-test-client",

From the above response it is clear I have access to pim-api-dev resource which is what I want.
Still the authorization fails because code checks for resource with client id name.
Please note it is not necessary that name of the resource would be same as client id name.

I would suggest instead you add new key to config/packages/idci_keycloak_security.yaml as
resource_access and do the resource check only if resource_access is specified with roles
Example

idci_keycloak_security:
  server_url: '%env(OAUTH_KEYCLOAK_SERVER)%' # your accessible keycloak url
  # server_url: 'http://keycloak.example.com/auth' # example with public url
  realm: '%env(OAUTH_KEYCLOAK_RELEAM)%'
  client_id: '%env(OAUTH_KEYCLOAK_CLIENT_ID)%'
  client_secret: '%env(OAUTH_KEYCLOAK_CLIENT_SECRET)%'
  default_target_path: 'app.swagger_ui' # The route name you will be redirected to after sign in
  resource_access:
    - 'pim-api-dev':
        roles:
          - 'pim-user'
          - 'pim-admin'