Class: KeycloakRack::AuthorizeRealm

Inherits:
Object
  • Object
show all
Extended by:
Dry::Initializer
Defined in:
lib/keycloak_rack/authorize_realm.rb

Overview

A service that allows someone to check if the current token has a realm-level role.

It is instantiated in keycloak:authorize_realm after the middleware runs.

This can greatly simplify access control for rack services (for instance, to gate uploading files outside of Rails).

Examples:

class UploadProcessor
  def initialize(app)
    @app = app
  end

  def call(env)
    env["keycloak.authorize_realm"].call("upload_permission") do |m|
      m.success do
        # allow the upload to proceed
      end

      m.failure do
        # fail the response, return 403, etc
      end
    end
  end
end

Instance Method Summary collapse

Instance Method Details

#call(role_name) ⇒ Dry::Monads::Success(:authorized, String), ...

Check to see if the current user session has a certain realm-level role.

Parameters:

  • role_name (String)

Returns:

  • (Dry::Monads::Success(:authorized, String))
  • (Dry::Monads::Failure(:unauthorized, String))
  • (Dry::Monads::Failure(:unauthenticated, String))

See Also:


43
44
45
46
47
48
49
50
51
# File 'lib/keycloak_rack/authorize_realm.rb', line 43

def call(role_name)
  if session.has_realm_role?(role_name)
    Success[:authorized, role_name]
  elsif session.authenticated?
    Failure[:unauthorized, "You do not have #{role_name.to_s.inspect} access"]
  else
    Failure[:unauthenticated, "You are not authenticated"]
  end
end