RubyGems - rails_keycloak_authorization - Versions diffs - 0.0.1 - Mend

rails_keycloak_authorization 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 473a44e0abf7c0db82ad24417b0e20a546219e28967dc41cdee8753a954b0c3a
+  data.tar.gz: d2d21f2d7c7c291fcfc267ed9e7b83c66684714d952341b875d46ac2db2bdad8
+SHA512:
+  metadata.gz: dccfd5e98b565f2c1da1911ab0d588b08a96a15790b0c6147e868c57b7f4f4e7fd444a9a1fa2280ccb4ca1d303d6a4601db8475931e511e2d6bcd8a0170417a7
+  data.tar.gz: f8175f8a52eb1e2bac762fe7e3ba4e2cac8ffdc322291e667901f958781c551d06920e3f80bcdb4c25f2430069e6e50f1a13f3153b5c9681117aef07d9e1a817

data/MIT-LICENSE ADDED Viewed

@@ -0,0 +1,20 @@
+Copyright Mohammed O. Tillawy
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md ADDED Viewed

@@ -0,0 +1,139 @@
+# Rails Keycloak Authorization
+Rails middleware to authorize requests using [Keycloak](https://www.keycloak.org) and gem [keycloak-admin-ruby](https://github.com/looorent/keycloak-admin-ruby).
+This gem uses JWT token to authorize requests.
+To read more how this gem works:
+ * [Keycloak authorization services](https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_overview)
+ * [Policy Enforcement Point (PEP)](https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_overview)
+For the moment it only support permission_resource_format=uri. it does not support permission_resource_format=resource.
+It does **not** support rails cookie-based-sessions, so it is only suitable for APIs.
+This gem uses regular-expression for URLs matching, so it is very powerful and flexible.
+## How it works
+This gem is a middleware that checks if the request is authorized by Keycloak.
+It will check if the request's token is valid and if the user has the required roles to access the requested resource.
+Keycloak setup for authorization has many options, the following conventions were followed building this gem:
+| Rails component   | Keycloak component  |
+|-------------------|---------------------|
+| Controller        | Authz Resource      |
+| Controller Action | Authz Scope         |
+| Route             | permission subject  |
+## Flow
+```mermaid
+sequenceDiagram
+    actor User
+    User->>Application: Request ${URL} with ${JWT_TOKEN}
+    create participant Keycloak
+    Application-->>Keycloak: is ${JWT_TOKEN} authorized for ${URL}?
+    note right of Keycloak: Keycloak will validate the token <br/> and check if the user has the required roles
+    destroy Keycloak
+    Keycloak-->>Application: ${JWT_TOKEN} is authorized for ${URL}
+    destroy Application
+    Application-->>User: Response ${URL} with ${DATA}
+```
+## Configuration
+In order to use this gem, you need to configure it in an initializer file. You can create a new file in `config/initializers/rails_keycloak_authorization.rb` with the following content:
+```ruby
+# The Keycloak realm
+RailsKeycloakAuthorization.keycloak_realm = ENV.fetch("KEYCLOAK_AUTH_CLIENT_REALM_NAME", "dummy")
+# The client id in the realm
+RailsKeycloakAuthorization.client_id = ENV.fetch("KEYCLOAK_AUTH_CLIENT_ID", "dummy-client")
+# Keycloak server url
+RailsKeycloakAuthorization.keycloak_server_url = ENV.fetch("KEYCLOAK_SERVER_URL", "http://localhost:8080")
+# Patterns that are protected by the middleware, Array of regular-expressions.
+RailsKeycloakAuthorization.match_patterns = [
+  /^\/organizations(\.json)?/,
+  /^\/api/,
+  /internal/
+]
+```
+## How to easily test it?
+Create development environment with Keycloak and Tofu:
+ * checkout the source-code of this project
+   * `git checkout https://github.com/tillawy/rails_keycloak_authorization.git`
+   * `cd rails_keycloak_authorization`
+ * Run keycloak in a [Docker](https://docs.docker.com/get-docker/) container
+   * `cd docker`
+   * `docker-compose up`
+   * verify keycloak is running at `http://localhost:8080`, username: `admin`, password: `admin`
+ * Run tofu to setup keycloak realm & client
+   * `brew install opentofu`
+   * `cd ../tofu`
+   * `tofu -chdir=tofu init`
+   * `tofu -chdir=tofu apply -auto-approve`
+Running the previous steps should:
+ * Start Keycloak server
+ * Create realm called: `Dummy`
+ * Create openid-client called: `dummy-client` in realm `dummy` with:
+   * client secret `dummy-client-super-secret-xxx`
+   * valid_redirect_uri `http://localhost:3000/*`
+ * Create user `test@test.com` with password `test`
+ * Create openid-client called: `keycloak-admin` in realm `master` with:
+   * client secret `keycloak-admin-client-secret-xxx`
+   * role to manager users in realm `dummy`
+Run the server:
+  `bundle exec rails s`
+make the first request (should fail) `Authorization Failed`:
+```shell
+bash test/curl/test.curl.bash
+```
+How let us setup Authorization:
+ * Open rka http://localhost:3000/rka/management/
+ * On the first tab `Rails Routes`
+ * The first route `/organizations(.:format)`, click inspect
+ * Click on `Create Resource?` to create Authz Resource for controller
+ * Click on `Create Scope?` to create resource for controller action
+ * Click on `Attach scope index to resource` to attach the scope (action: index) to the resource (controller: organizations_controller)
+ * Select the second tab `Keycloak Policies`
+ * From the Role dropdown list select `default-roles-dummy`
+ * Click `Create`
+ * Select the third tab `Keycloak Permissions`
+ * From the Policy dropdown list select `RKA-Policy`
+ * From the Resource dropdown list select `organization_controllers`
+ * Another dropdown will appear Select Scope, select `index`
+ * Click `Create`
+Now let us run the test `bash test/curl/test.curl.bash` again, it should pass.
+## Installation
+Add this line to your application's Gemfile:
+```ruby
+gem "rails_keycloak_authorization"
+```
+And then execute:
+```bash
+$ bundle
+```
+## Contributing
+Contribution directions go here.
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile ADDED Viewed

@@ -0,0 +1,8 @@
+require "bundler/setup"
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+load "rails/tasks/statistics.rake"
+require "bundler/gem_tasks"

data/app/assets/config/rails_keycloak_authorization_manifest.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ //= link_directory ../stylesheets/rails_keycloak_authorization .css

data/app/assets/stylesheets/rails_keycloak_authorization/application.css ADDED Viewed

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/concerns/rails_keycloak_authorization/with_htmx_layout.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module RailsKeycloakAuthorization
+  # This concern is to explicitly force htmx layout with routes, layout=htmx
+  module WithHtmxLayout
+    extend ActiveSupport::Concern
+    included do
+      before_action do
+        if request.params[:layout] == "htmx"
+          self.class.layout "rails_keycloak_authorization/htmx"
+        else
+          self.class.layout false
+        end
+      end
+    end
+  end
+end

data/app/controllers/concerns/rails_keycloak_authorization/with_keycloak_admin.rb ADDED Viewed

@@ -0,0 +1,35 @@
+module RailsKeycloakAuthorization
+  module WithKeycloakAdmin
+    extend ActiveSupport::Concern
+    included do
+      before_action :keycloak_admin_configure
+    end
+    private
+    def realm_name
+      ENV.fetch('KEYCLOAK_AUTH_CLIENT_REALM_NAME')
+    end
+    def openid_client
+      KeycloakAdmin.realm(realm_name).clients.find_by_client_id(ENV["KEYCLOAK_AUTH_CLIENT_ID"])
+    end
+    def keycloak_admin_configure
+      KeycloakAdmin.configure do |config|
+        config.use_service_account = true
+        config.server_url          = ENV["KEYCLOAK_SERVER_URL"]
+        config.server_domain       = ENV["KEYCLOAK_SERVER_DOMAIN"]
+        config.client_id           = ENV["KEYCLOAK_ADMIN_CLIENT_ID"]
+        config.client_realm_name   = ENV["KEYCLOAK_ADMIN_REALM_NAME"]
+        config.client_secret       = ENV["KEYCLOAK_ADMIN_CLIENT_SECRET"]
+        config.logger              = Rails.logger
+        config.rest_client_options = { timeout: 3, verify_ssl: Rails.env.production? }
+      end
+    end
+  end
+end

data/app/controllers/concerns/rails_keycloak_authorization/with_routes_reader.rb ADDED Viewed

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+module RailsKeycloakAuthorization
+  module WithRoutesReader
+    extend ActiveSupport::Concern
+    extend self
+    def available_routes
+      available_route_names.map do |name|
+        Rails.application.routes.named_routes.get(name)
+      end
+    end
+    def route(route_name)
+      Rails.application.routes.named_routes[route_name]
+    end
+    def available_route_names
+      names = Rails.application.routes.named_routes.names.filter do |route_name|
+        route_name.present? && !%w[rails action_mailbox active_storage auth root].any? { |exclude| route_name.to_s.include?(exclude) }
+      end
+      names.uniq
+    end
+  end
+end

data/app/controllers/rails_keycloak_authorization/application_controller.rb ADDED Viewed

@@ -0,0 +1,4 @@
+module RailsKeycloakAuthorization
+  class ApplicationController < ActionController::Base
+  end
+end

data/app/controllers/rails_keycloak_authorization/management_controller.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module RailsKeycloakAuthorization
+  class ManagementController < ApplicationController
+    layout false
+    def index
+      render layout: "rails_keycloak_authorization/htmx"
+    end
+  end
+end

data/app/controllers/rails_keycloak_authorization/permissions_controller.rb ADDED Viewed

@@ -0,0 +1,39 @@
+module RailsKeycloakAuthorization
+  class PermissionsController < ApplicationController
+    include WithKeycloakAdmin
+    include WithHtmxLayout
+    include ResourcesHelper
+    def index
+      @permissions = KeycloakAdminRubyAgent.list_keycloak_permissions
+      @resources = KeycloakAdminRubyAgent.list_keycloak_resources_for_controllers
+      @policies = KeycloakAdminRubyAgent.list_keycloak_policies
+    end
+    def resource_scopes_select
+      @resource_scopes = KeycloakAdmin
+                          .realm(realm_name)
+                          .authz_scopes(openid_client.id, params[:keycloak_resource_id])
+                          .list
+    end
+    def create
+      resource = KeycloakAdmin.realm(realm_name).authz_resources(openid_client.id).get(params[:keycloak_resource_id] )
+      scope = KeycloakAdmin.realm(realm_name).authz_scopes(openid_client.id, resource.id).get(params[:keycloak_scope_id])
+      KeycloakAdmin
+        .realm(realm_name)
+        .authz_permissions(openid_client.id, :scope)
+        .create!(
+          "RKA #{resource.name} #{scope.name} ",
+          "RailsKeycloakRails permission #{resource.name}",
+          "UNANIMOUS",
+          "POSITIVE",
+          [ params[:keycloak_resource_id] ],
+          [ params[:keycloak_policy_id] ],
+          [ params[:keycloak_scope_id] ],
+          "scope"
+        )
+      redirect_to permissions_path
+    end
+  end
+end

data/app/controllers/rails_keycloak_authorization/policies_controller.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module RailsKeycloakAuthorization
+  class PoliciesController < ApplicationController
+    include WithKeycloakAdmin
+    include WithHtmxLayout
+    include ResourcesHelper
+    def index
+      @default_policy_name = KeycloakAdminRubyAgent.policy_name
+      @policies = KeycloakAdminRubyAgent.list_keycloak_policies
+      @realm_roles = KeycloakAdminRubyAgent.list_roles
+    end
+    def create
+      KeycloakAdminRubyAgent.create_keycloak_policy(params[:keycloak_realm_role_id])
+      redirect_to policies_path
+    end
+  end
+end

data/app/controllers/rails_keycloak_authorization/resources_controller.rb ADDED Viewed

@@ -0,0 +1,31 @@
+module RailsKeycloakAuthorization
+  class ResourcesController < ApplicationController
+    include WithKeycloakAdmin
+    include WithHtmxLayout
+    include ResourcesHelper
+    include WithRoutesReader
+    def create
+      KeycloakAdminRubyAgent.create_keycloak_resource(params[:route_id])
+      redirect_to resource_path(params[:route_id])
+    end
+    def index
+      @route_names = Rails.application.routes.named_routes.names
+      @controller_names = @route_names.map { |route_name|
+        Rails.application.routes.named_routes[route_name].defaults[:controller]
+      }.filter{|route_name|
+        !route_name.nil? && !route_name.include?("rails") && !route_name.include?("action_mailbox") && !route_name.include?("active_storage") && !route_name.include?("oauth") }.uniq
+      @resources = KeycloakAdmin.realm(realm_name).authz_resources(openid_client.id).list
+    end
+    def new
+      @route = route(params[:route_id])
+    end
+    def show
+      @route = route(params[:id])
+      @keycloak_resource = KeycloakAdminRubyAgent.keycloak_resource(@route.defaults[:controller])
+    end
+  end
+end

data/app/controllers/rails_keycloak_authorization/routes_controller.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module RailsKeycloakAuthorization
+  class RoutesController < ApplicationController
+    include WithKeycloakAdmin
+    include WithHtmxLayout
+    include WithRoutesReader
+    before_action :set_route, only: [:show]
+    def index
+      @routes = available_routes
+    end
+    def show
+    end
+    private
+    def set_route
+      @route = Rails.application.routes.named_routes[params[:id]]
+    end
+  end
+end

data/app/controllers/rails_keycloak_authorization/scopes_controller.rb ADDED Viewed

@@ -0,0 +1,48 @@
+module RailsKeycloakAuthorization
+  class ScopesController < ApplicationController
+    include WithKeycloakAdmin
+    include WithHtmxLayout
+    def index
+      @scopes = KeycloakAdmin
+                  .realm(realm_name)
+                  .authz_scopes(openid_client.id, params[:keycloak_resource_id])
+                  .list
+    end
+    def show
+      @keycloak_scope_name = params[:keycloak_scope_name]
+      @keycloak_resource_id = params[:keycloak_resource_id]
+      @available_scope = KeycloakAdmin
+                          .realm(realm_name)
+                          .authz_scopes(openid_client.id)
+                          .search(params[:keycloak_scope_name])
+                          .first
+      @resource_scope = KeycloakAdmin
+                 .realm(realm_name)
+                 .authz_scopes(openid_client.id, params[:keycloak_resource_id])
+                 .list
+                 .detect{|s| s.name == params[:keycloak_scope_name]}
+    end
+    def new
+      @keycloak_scope_name = params[:keycloak_scope_name]
+      @keycloak_resource_id = params[:keycloak_resource_id]
+    end
+    def attach
+      keycloak_scope_name = params[:keycloak_scope_name]
+      keycloak_resource_id = params[:keycloak_resource_id]
+      KeycloakAdminRubyAgent.attach_scope_to_resource(keycloak_scope_name, keycloak_resource_id)
+      redirect_to scope_path("scope", keycloak_resource_id: keycloak_resource_id, keycloak_scope_name: keycloak_scope_name)
+    end
+    def create
+      scope = KeycloakAdminRubyAgent.create_keycloak_scope(params[:keycloak_scope_name])
+      redirect_to scope_path(scope.id, keycloak_resource_id: params[:keycloak_resource_id], keycloak_scope_name: params[:keycloak_scope_name])
+    end
+  end
+end

data/app/helpers/rails_keycloak_authorization/application_helper.rb ADDED Viewed

@@ -0,0 +1,4 @@
+module RailsKeycloakAuthorization
+  module ApplicationHelper
+  end
+end

data/app/helpers/rails_keycloak_authorization/resources_helper.rb ADDED Viewed

@@ -0,0 +1,5 @@
+module RailsKeycloakAuthorization
+  module ResourcesHelper
+  end
+end

data/app/jobs/rails_keycloak_authorization/application_job.rb ADDED Viewed

@@ -0,0 +1,4 @@
+module RailsKeycloakAuthorization
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/rails_keycloak_authorization/application_mailer.rb ADDED Viewed

@@ -0,0 +1,6 @@
+module RailsKeycloakAuthorization
+  class ApplicationMailer < ActionMailer::Base
+    default from: "from@example.com"
+    layout "mailer"
+  end
+end

data/app/models/rails_keycloak_authorization/application_record.rb ADDED Viewed

@@ -0,0 +1,5 @@
+module RailsKeycloakAuthorization
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/services/rails_keycloak_authorization/keycloak_admin_ruby_agent.rb ADDED Viewed

@@ -0,0 +1,145 @@
+module RailsKeycloakAuthorization
+  class KeycloakAdminRubyAgent
+    class << self
+      POLICY_NAME = "RKA-Policy"
+      def initialize
+        super
+        keycloak_admin_configure
+      end
+      def policy_name
+        POLICY_NAME
+      end
+      def list_keycloak_resources_for_controllers
+        KeycloakAdmin.realm(realm_name)
+                     .authz_resources(openid_client.id)
+                     .find_by("",
+                              resource_type_for_controller,
+                              "",
+                              "",
+                              "")
+      end
+      def list_keycloak_permissions
+        KeycloakAdmin.realm(realm_name)
+                     .authz_permissions(openid_client.id, "scope")
+                     .find_by(nil, nil)
+      end
+      def list_keycloak_policies
+        KeycloakAdmin.realm(realm_name)
+                     .authz_policies(openid_client.id, 'role')
+                     .find_by(POLICY_NAME, "role")
+      end
+      def create_keycloak_policy(keycloak_realm_role_id)
+        KeycloakAdmin
+          .realm(realm_name)
+          .authz_policies(openid_client.id, 'role')
+          .create!("#{POLICY_NAME}",
+                   "#{POLICY_NAME} default policy",
+                   "role",
+                   "POSITIVE",
+                   "UNANIMOUS",
+                   true,
+                   [{id: keycloak_realm_role_id, required: true}]
+          )
+      end
+      def list_policies
+      end
+      def list_roles
+        KeycloakAdmin.realm(realm_name).roles.list
+      end
+      def create_keycloak_scope(keycloak_scope_name)
+        KeycloakAdmin
+          .realm(realm_name)
+          .authz_scopes(openid_client.id)
+          .create!(
+            keycloak_scope_name,
+            "RKA #{keycloak_scope_name}",
+            ""
+          )
+      end
+      def create_keycloak_resource(route_id)
+        route = WithRoutesReader.route(route_id)
+        resource_name = resource_name_for(route.defaults[:controller])
+        KeycloakAdmin
+          .realm(realm_name)
+          .authz_resources(openid_client.id)
+          .create!(
+            resource_name,
+            resource_type_for_controller,
+            [],
+            true,
+            "RKA #{resource_name}",
+            [])
+      end
+      def keycloak_resource(controller_name)
+        resource_name = resource_name_for(controller_name)
+        KeycloakAdmin
+          .realm(realm_name)
+          .authz_resources(openid_client.id)
+          .find_by(resource_name,
+                   resource_type_for_controller,
+                   "",
+                   "",
+                   "")
+          .first
+      rescue
+        nil
+      end
+      def realm_name
+        ENV.fetch("KEYCLOAK_AUTH_CLIENT_REALM_NAME")
+      end
+      def openid_client
+        KeycloakAdmin
+          .realm(realm_name)
+          .clients
+          .find_by_client_id(ENV.fetch("KEYCLOAK_AUTH_CLIENT_ID"))
+      end
+      def resource_type_for_controller
+        type_for(openid_client.client_id)
+      end
+      def type_for(openid_client_id)
+        "urn:#{openid_client_id}:rka:resources:controllers"
+      end
+      def resource_name_for(controller_name)
+        "#{controller_name}_controller"
+      end
+      def keycloak_admin_configure
+        KeycloakAdmin.configure do |config|
+          config.use_service_account = true
+          config.server_url = ENV.fetch("KEYCLOAK_SERVER_URL")
+          config.server_domain = ENV.fetch("KEYCLOAK_SERVER_DOMAIN")
+          config.client_id = ENV.fetch("KEYCLOAK_ADMIN_CLIENT_ID")
+          config.client_realm_name = ENV.fetch("KEYCLOAK_ADMIN_REALM_NAME")
+          config.client_secret = ENV.fetch("KEYCLOAK_ADMIN_CLIENT_SECRET")
+          config.logger = Rails.logger
+          config.rest_client_options = { timeout: 5, verify_ssl: Rails.env.production? }
+        end
+      end
+    end
+    def self.attach_scope_to_resource(keycloak_scope_name, keycloak_resource_id)
+      KeycloakAdmin.realm(realm_name)
+                   .authz_resources(openid_client.id)
+                   .update(keycloak_resource_id, scopes: [{name: keycloak_scope_name}])
+    end
+  end
+end

data/app/views/layouts/rails_keycloak_authorization/application.html.erb ADDED Viewed

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Rails Keycloak Authorization</title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+  <%= stylesheet_link_tag "rails_keycloak_authorization/application", media: "all" %>
+</head>
+<body>
+<%= yield %>
+</body>
+</html>

data/app/views/layouts/rails_keycloak_authorization/htmx.html.erb ADDED Viewed

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Rails Keycloak Authorization</title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+  <script src="https://unpkg.com/htmx.org@2.0.0/dist/htmx.js" integrity="sha384-Xh+GLLi0SMFPwtHQjT72aPG19QvKB8grnyRbYBNIdHWc2NkCrz65jlU7YrzO6qRp" crossorigin="anonymous"></script>
+  <script src="https://cdn.tailwindcss.com"></script>
+  <%= stylesheet_link_tag "rails_keycloak_authorization/application", media: "all" %>
+</head>
+<body hx-headers='{"X-CSRF-Token": "<%= form_authenticity_token %>"}'>
+  <%= yield %>
+</body>
+</html>