After testing authentication in Orion with keycloak (Orion APIs authentication through Keycloak) with kong-pep-plugin, I'm interested in the authorization too; in particular, I want to give specific permissions (on path and verb) to users/groups like I used to do with AuthZForce.
Could you help me?
Thank you
sorry that I only see your request right now. This is very much tied to configuring Keycloak, but it is possible, yes. The kong-pep-plugin delegates all decisions to Keycloak's Authorization Serivces and just takes its decision. Thus, you should read the documentation on that: https://www.keycloak.org/docs/latest/authorization_services/index.html
An example (declarative)configuration for allowing different groups to access different paths can be found in the integration-tests:
https://github.com/FIWARE/kong-plugins-fiware/blob/main/it/src/test/k3s/keycloak.yaml#L518-L567
Another, better readable, example is our demo environment:
https://github.com/FIWARE-Ops/fiware-gitops/blob/master/aws/fiware/keycloak/templates/realmConfigMap.yaml#L139-L203
This combination of resources and policies allows the group "consumer" to access the path "/keycloak/ngsi-ld/v1/", while the group "admin" can also access "/keycloak/".
The authorization services allow for much more fine-grained and powerful configurations, so I really recommend the official documentation on it.
Best
As an addition for the GET/POST question:
Thats something you can implement with the javascript policies feature from Keycloak(keycloak.org/docs/latest/authorization_services/…). The kong-plugin forwards the http method as "http.method" claim(see github.com/FIWARE/kong-plugins-fiware/blob/main/kong-pep-plugin/…) An example policy could granting access only for GET requests could look like:
var context = $evaluation.getContext();
var attributes = context.getAttributes();
var method = attributes.getValue('http.method').asString(0);
if (method === 'GET')
{$evaluation.grant();
Combining a resource policy with such a js-policy would give you the access-control you want.