heimdall
heimdall copied to clipboard
Support CEL / template in authenticator validations
Preflight checklist
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines."
- [ ] I have discussed this feature request with the community.
Describe the background of your feature request
We're building a multi-tenant cloud application which is secured via Keycloak and we're looking into using heimdall to secure our app. Our tenants should be separated by using different keycloak realms (effectively one OpenID provider per tenant), but we do want our users to be able to login to shared services in the app using heimdall.
Describe your idea
Building upon #619, I'd like to extend the validation of authenticator with CEL.
I'm thinking of a configuration like this:
rules:
mechanisms:
authenticators:
- id: keycloak
type: oidc
config:
assertions:
issuers:
- expression: "Issuer.startsWith(\"https://${our_keycloak_url}/realms\")"
- "${issuer_url}" # this one for backwards compatibility
Are there any workarounds or alternatives?
I have, so far not found an alternative for what I'm trying to achieve. A workaround would be an extra service validating tokens from different realms and unifying these tokens, but I think it wouldn't be a nice solution.
Version
v0.11.0
Additional Context
No response