Fix authz/resource-server/policy/... endpoints #26867
Conversation
30dac4e to
ed077af
Compare
|
Thank you for this contribution. This moves around quite some bits of the code. I also read your comment in the parent issue:
Could you please
This would help me a lot when reviewing this. Thanks! |
|
Sorry, I've updated the PR description now to give more details about this. |
16615ba to
76a4f00
Compare
There was a problem hiding this comment.
Do we need this (and the other endpoint) endpoint?
There was a problem hiding this comment.
I had a look at this PR as well, and I am (and OpenAPI) is struggling with the Object return type. By splitting the policy-by-type and policy-by-ID to separate endpoints, it would allow a more specific return type than Object. Happy to hear more direction from you about this.
There was a problem hiding this comment.
Yes, that's exactly why I've introduced these two new endpoints.
There was a problem hiding this comment.
My main concern is that we now have those two endpoints plus the current one returning an object and that does not work well with Open API. Shall we at least deprecate the current endpoint in favor of these two and remove it in 1 or 2 releases from now?
I was wondering if we could somehow handle this using a org.eclipse.microprofile.openapi.OASFilter so that we could add both variants (type/id) to the resulting model tree. But I don't see how we can do that.
There was a problem hiding this comment.
Open API doesn't really document the current one anyway as it's returning Object and thus the generator cannot actually document all the endpoints in those services.
If you're okay with that deprecating would be a good idea but that would necessarily involve changes to the admin UI as well, so I didn't do it right away in this PR.
|
I had a look at this PR and I still need to understand more of the AUTHZ stuff and how the URLs and UI work together. I agree that the current API has its flaws and it should be changed. Still I'm not sure how, although I know we should deprecate some of the usages. I found that the Java Admin CLI offers a little bit different APIs to this, as the types are named there, and they return different representations: https://github.com/keycloak/keycloak/blob/3f6925143aa8a3e61c30782029ca5ea781d60ce0/integration/admin-client-jee/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java Again, I need more time to look at this. |
76a4f00 to
08339da
Compare
|
Rebased onto current |
@ahus1 @999eagle FTR, originally we did not have specific endpoints for each permission or policy type but only a generic API to handle all of them using a generic representation. At that time we also did not have OpenAPI support and we did not change the Authorization API to fit into it. Having a proper OpenAPI is even more tricky if you consider that each policy type has its own representation to make it easier to manage those different policies. Are we changing this here? |
|
@pedroigor I have not changed how policies themselves are represented and how the representations of different types of policies are documented in the OpenAPI spec as that would be (as you already said yourself) quite tricky. Policies are still documented to be returned as the generic representation. This is basically the smallest possible API change to be able to at least document all the policy-related API endpoints (not including the specific bodies returned of course). The only thing this should change is to separate the existing API endpoint |
|
@pedroigor @ahus1 ping |
08339da to
4540cec
Compare
|
rebased onto current |
Closes: keycloak#26851 Signed-off-by: Sophie Tauchert <[email protected]>
4540cec to
7d6dd41
Compare
|
rebased again to be able to use this. also pinging @ahus1 @pedroigor again, did you have time to review this? |
|
@999eagle - sorry for the long time I kept you waiting on this PR. I appreciate all the enhancements you provided in the previous PRs by adding the missing annotations to Keycloak's code. This one is IMHO different as it adds new API methods that allow for documentation, while it keeps the old API that is then still undocumented. In addition to that, I struggle with the policy endpoints as I'm not familiar with this area of the code. The newly added API is then still incomplete in at least two ways:
This week I stumbled across a similar problem that we don't document some of the Realm Admin endpoints that are dynamically added - see This indicates to me that we should look for a different approach to solve this. Even if we redesign this API, the other Realm Admin endpoint will still give us a headache. We could reach out to the https://github.com/smallrye/smallrye-open-api project to ask if there is an annotation we could add to indicate different possible subresoures or return types. IMHO in the case of the Realm Admin Subresources it won't help us much as those classes live in a different Maven module and are not known there at compile time, although it would help us here. I searched the OpenAPI ecosystem, and found several tools which claim to merge OpenAPI specs. See https://github.com/robertmassaioli/openapi-merge?tab=readme-ov-file for one example. There also seems to be a Java Maven plugin, although it might be less popular: https://github.com/kpramesh2212/openapi-merger-plugin/tree/main/openapi-merger-maven-plugin So I'd suggest a new Proof-of-concept: As the OpenAPI annotations in the Java Code don't seem to be a good fit here, create a manual OpenAPI spec for those parts and merge it with the automatically created spec. I would assume you could do that even locally without changing the Keycloak code, at least in the proof-of-concept mode. If that proves to work, the next challenge would be to automate that in the Keycloak build: The Node plugin might not be a good fit in the Java build, and the Java Maven plugin doesn't seem to be popular and I didn't find something the main OpenAPI/Swagger project for that (might need to look again). So we would rather look into build our own Maven plugin which is then maintained in the Keycloak repository. A possible future enhancement would then to migrate the manually created OpenAPI spec to something that is at least half-automated, or we can stick with merging an automatically generated and a second manually maintained file. I know this is very different from what you originally suggested. I'd be happy to hear your thoughts on this about the possible advantages and disadvantages you see. |
Closes: #26851
This PR changes the
admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/endpoints by splitting the.../policy/{type}/endpoint (which could return two different sub services depending on whether a policy type or policy uuid was given as{type}) into two separate endpoints.../policy/by-type/{type}/and.../policy/by-id/{policy-id}/. This allows usObjectinstead of concrete services andPolicyTypeServicewhich inherited the old endpoint from thePolicyServicethus allowing API calls like.../policy/{type}/{type}/{type}/{type}/...to actually work.This is a backend-only change and keeps the current dual-use endpoint working to prevent introducing breaking API changes (except for disallowing the infinite recursion which hopefully no one is actually using). This endpoint is still undocumented in the OpenAPI spec though as different sub services and thus different endpoints can be returned depending on the
{type}-argument.For this change, I've extracted the common code of
PolicyServiceandPolicyTypeServiceinto a new abstract base classBasePolicyServiceand changedPolicyTypeServiceto extend that instead of thePolicyServiceto make sure the dual-use endpoint is only available for thePolicyServiceand not for thePolicyTypeService. An easier change would've been to override the method inPolicyTypeServiceto throw an exception or something but this sadly is impossible to communicate to the OpenAPI spec generator thus documenting the endpoint twice.The new
.../policy/by-type/{type}/and.../policy/by-id/{policy-id}/endpoints are added to thePolicyServiceonly and also would've been documented for thePolicyTypeServiceif it still extended that instead of the common base class.