JWT Authentication and ACLs

Hi,

I am trying to integrate consul with keycloak and use jwt tokens to write to KV store.
I created auth-method as follows:

{
  "Name": "keycloak",
  "Type": "jwt",
  "Description": "keycloak auth server",
  "Config": {
    "BoundAudiences": [
      "broker",
      "account"
    ],
    "JWKSURL": "https://keycloack/auth/realms/matrix/protocol/openid-connect/certs",
    "ClaimMappings": {
      "given_name": "first_name",
      "family_name": "last_name",
      "azp": "azp",
      "matrix_role": "matrix_role"
    },
    "ListClaimMappings": {
      "groups": "groups"
    }
  }
}

Also created binding:

{
  "Description": "my-api binding",
  "AuthMethod": "keycloak",
  "Selector": "value.name!=vault",
  "BindType": "role",
  "BindName": "matrix-apis-test"
}

Created a matrix-apis-test role and policy

{
  "key_prefix": {
    "": {
      "policy": "read"
    },
    "matrix-api/": {
      "policy": "write"
    },
    "foo/private/": {
      "policy": "deny"
    }
  },
  "key": {
    "foo/bar/secret": {
      "policy": "deny"
    }
  }
}

When trying to write to matrix-api/registry/test

 [ERROR] agent.http: Request error: method=PUT url=/v1/kv/matrix-api/registry/test?dc=dc-1&flags=3304740253564472344 error="ACL not found"

Am I missing something?

I am running latest 1.8.3 version with acl enabled

Hi @opsngine-io,

It looks like your binding rule is incorrect. The rule should attempt to match on one of the fields you’ve mapped in either ClaimMappings or ListClaimMappings, such as first_name. For example,

{
    "Description": "my-api binding",
    "AuthMethod": "keycloak",
    "Selector": "value.first_name!=vault",
    "BindType": "role",
    "BindName": "matrix-apis-test"
}

Can you execute consul acl token read -self and check whether the token you’re being issued has the matrix-apis-test role associated to it? If it does not have that role, try updating your binding rule’s selector to match on a value that you’ve mapped using ClaimMappings.

Thanks for replying,

My idea was that this binding would match anything coming from auth-method.

Anyway, I corrected it as you suggested. Now trying to login with

consul login -method 'keycloak' -token-sink-file 'consul.token' -bearer-token-file jwt-token

And getting an error:

Error logging in: Unexpected response code: 500 (computed "role" bind name for bind target is invalid: "")

I double checked and there is matrix-apis-test role. Not sure what else to check.

Thanks