JWT Authentication and ACLs

Hi,

I am trying to integrate consul with keycloak and use jwt tokens to write to KV store.
I created auth-method as follows:
{
“Name”: “keycloak”,
“Type”: “jwt”,
“Description”: “keycloak auth server”,
“Config”: {
“BoundAudiences”: [
“broker”,
“account”
],
“JWKSURL”: “https://keycloack/auth/realms/matrix/protocol/openid-connect/certs”,
“ClaimMappings”: {
“given_name”: “first_name”,
“family_name”: “last_name”,
“azp”: “azp”,
“matrix_role”: “matrix_role”
},
“ListClaimMappings”: {
“groups”: “groups”
}
}
}

Also created binding:

{
“Description”: “my-api binding”,
“AuthMethod”: “keycloak”,
“Selector”: “value.name!=vault”,
“BindType”: “role”,
“BindName”: “matrix-apis-test”
}

Created a matrix-apis-test role and policy

{
“key_prefix”: {
“”: {
“policy”: “read”
},
“matrix-api/”: {
“policy”: “write”
},
“foo/private/”: {
“policy”: “deny”
}
},
“key”: {
“foo/bar/secret”: {
“policy”: “deny”
}
},
}

When trying to write to matrix-api/registry/test

[ERROR] agent.http: Request error: method=PUT url=/v1/kv/matrix-api/registry/test?dc=dc-1&flags=3304740253564472344 error=“ACL not found”

Am I missing something?

I am running latest 1.8.3 version with acl enabled

Hi @opsngine-io,

It looks like your binding rule is incorrect. The rule should attempt to match on one of the fields you’ve mapped in either ClaimMappings or ListClaimMappings, such as first_name. For example,

{
    "Description": "my-api binding",
    "AuthMethod": "keycloak",
    "Selector": "value.first_name!=vault",
    "BindType": "role",
    "BindName": "matrix-apis-test"
}

Can you execute consul acl token read -self and check whether the token you’re being issued has the matrix-apis-test role associated to it? If it does not have that role, try updating your binding rule’s selector to match on a value that you’ve mapped using ClaimMappings.

Thanks for replying,

My idea was that this binding would match anything coming from auth-method.

Anyway, I corrected it as you suggested. Now trying to login with

consul login -method 'keycloak' -token-sink-file 'consul.token' -bearer-token-file jwt-token

And getting an error:

Error logging in: Unexpected response code: 500 (computed "role" bind name for bind target is invalid: "")

I double checked and there is matrix-apis-test role. Not sure what else to check.

Thanks