Limit access with Keycloak based on role/group?

[tboerger]

Describe the problem

Is it possible to limit the access based on Vouch and Keycloak as an IdP on roles or groups similar to orgs and teams with the GitHub provider?

Expected behavior

Limiting access based on Keycloak roles or groups

[ShyLionTjmn]

You may request groups claim and put it into headers. Then read them in HTTP request in your app and do whatever you like, based on group membership.

[tboerger]

The app does not provide any option like that. I thought hopefully Vouch supports limitung access based on groups like it's oauth2-proxy doing.

[ShyLionTjmn]

Well, it is not what vouch were designed for, i guess.
But, if you are using Keycloak, you may just fine-tune your realm, i think.

[bnfinet]

@tboerger Hello there!

The suggested method for doing such is currently to use the lua enabled version of Nginx called "open resty". Please see the /examples directory in this repo for detailed documentation.

I'd like to add additional functionality for groups facilities (or really RBAC on any claim) to VP but there are a few other items ahead of this one and I'm currently buried in other projects.

I'm going to close this in favor of #175 but feel free to ask any additional questions.

@ShyLionTjmn Thanks for chiming in and being helpful. Can I ask you to please let people know that you are relatively new to VP when you answer support questions like this. I think that context is important.

[tboerger]

Thanks for the feedback. Sadly open resty wouldn't work for me as I want to avoid switching my ingress controller.

But since you are open for such a feature I will dig through the code and see if I can contribute something similar to the suggestions mentioned eighth the linked issue.

[bnfinet]

@tboerger that would be wonderful! I'll leave a few more notes in #175