[keycloak-dev] Added Dynamic client registration policies

Marek Posolda mposolda at redhat.com
Mon Oct 17 03:41:36 EDT 2016 

I've added support for Dynamic client registration policies to the master.


Summary of changes:

* Admin console tab "Initial Access Tokens" was renamed to "Client 
Registrations" . It has 2 subtabs now "Initial Access Tokens" and 
"Client Registration Policies" .

* Previous "Trusted hosts" stuff was renamed from UI (still need to do 
some model cleanup...)

* Client Registration Policies tab exposes the configured client 
registration policies for the realm. I've added new 
ClientRegistrationPolicy SPI based on generic component model.

* There are 2 kinds of client registration policies.

** Authenticated - Those are used when clientRegistration request with 
initial-access-token or with bearer-token comes.

** Anonymous - Those are used when clientRegistration request without 
initial-access-token or without bearer-token comes. Also it's used for 
update requests with registrationToken for clients, which were 
registered through anonymous registration.

* Implementations of clientRegistrationPolicies:

** TrustedHostClientRegistrationPolicy - Allows to configure trusted 
hosts (by IP Address or by hostname) and domains. ClientRegistration 
request needs to come from some trusted host or domain, otherwise it's 
rejected. Also all the client uris (redirect_uris etc) needs to match 
some trusted host or domain. By default there is not any trusted host 
configured. Hence anonymous clientRegistrations, which uses this policy 
by default, are always rejected by default unless you specify some 
trusted host.

** ConsentRequiredClientRegistrationPolicy - newly registered clients 
will automatically have consentRequired enabled. Also it's not possible 
to update them to switch consentRequired to off.

** ScopeClientRegistrationPolicy - newly registered clients will 
automatically have fullScopeAllowed disabled. Also it's not possible to 
update them to switch fullScopeAllowed to on.

** ProtocolMapperClientRegistrationPolicy - newly registered clients 
can't use any protocolMapper implementations besides those, which are 
whitelisted. By default, the whitelisted includes few types, mostly 
those which we already as builtin mappers (User Property Mapper, USer 
Attribute Mapper, Full name mapper etc)

** ClientTemplateClientRegistrationPolicy - newly registered or updated 
clients can't have any clientTemplate, which is not whitelisted. By 
default, there is not any whitelisted clientTemplate

* Authenticated policies - There are 2 policies by default. One for 
protocol mappers and one for clientTemplate.

* Anonymous policies - Contains all 5 policies configured. In other 
words, newly registered clients need to come from trusted hosts, have 
fullScopeAllowed disabled and consentRequired enabled and can't have 
non-whitelisted protocolMappers and clientTemplates.

* Some generic changes:

** Added 2 types of ProviderConfigProperty

*** MultivaluedString - allows to specify more string values of some 
attribute. Something like redirectUris or webOrigins for client.

*** MultivaluedList - allows to specify more string values, which needs 
to be selected from the list of pre-defined allowed values. Something 
like "requiredActions" for user.

** Added field "subType" to ComponentModel. This is because for 
clientRegistrationPolicies, I have 2 kinds of policies with same type 
and same parentId (same realm), but I still need to differentiate 
between them.


Remaining TODOs (maybe some more based on feedback) :

* It seems I broke Wildfly distribution. I will fix ASAP today.

* I've just created KEYCLOAK-3712 Client Registration limitations - In 
shortcut, our default implementations of ClientRegistrationProvider 
doesn't allow to CRUD client roles, scope mappings, service account 
roles or authorization settings of client. It also doesn't allow to 
update of protocolMappers. Not sure if we need to address this for this 
release? If yes, then Scope policy should be enhanced to also support 
whitelisting of scoped roles.

* Some cleanup (logging messages, cleanup of infinispan model for 
previous "trusted hosts" thing)

* Docs


Marek

More information about the keycloak-dev mailing list