Consider supporting Authorization API from OpenId AuthZen

[sberyozkin]

Description

https://openid.net/specs/authorization-api-1_0.html is likely to start getting traction.

Effectively it can be seen as an alternative to quarkus-keycloak-authorization that we'd be able to use against Keycloak or any other provider that supports it

Implementation ideas

New extension that ships an HttpSecurityPolicy implementation similar to what quarkus-keycloak-authorization does.

We can assume it is an extension of the quarkus-oidc as well as it will most likely work with bearer JWT tokens only

[michalvavrik]

I love the idea, but AFAICT currently Keycloak does not support it yet keycloak/keycloak#45288. Having Keycloak supporting AuthZen would make testing bit easier, but sure, we can start before them.

@sberyozkin any idea regarding the new extension name (artifact id)? It sounds like the least important thing, but renaming a lot of POM changes sometimes mess with my IDE indexing. So just in case you do, please mention it. If not, no problem at all.

[michalvavrik]

Oh sorry, I missed this "Keycloak Authorization Services is a feature that enables a PDP [3] for individual resource servers (confidential clients) to evaluate authorization policies that govern access to their protected resources" so there is already something to start with. Cool. I take my previous comment partly back.

[sberyozkin]

Hi @michalvavrik I'd say we can wait until Keycloak implements is so that we can test it against the actual implementation in Keycloak, as opposed to for example trying to test it against an equivalent Keycloak Authorization policy setup somehow.

As far as an extension name is concerned, we have quarkus-oidc-*, quarkus-keycloak-authorization, in this case, may be quarkus-authzen-authorization, as there is a chance there will be more specs produced in that working group, so we'll have more than one quarkus-authzen-* eventually

[michalvavrik]

Cool, thanks.