[keycloak-user] Restrict access from web app client

Simon Payne simonpayne58 at gmail.com
Wed Aug 16 09:20:34 EDT 2017


Pablo,

i'm not sure whether this will be your solution directly, but i found out
recently that the 'aud' claim in the token is to represent the audience.
Now, when i used the spring-security-oauth client library i found that it
validated the resourceId against this aud claim.

i thought it an unnecessary constraint at the time, but maybe it could be
used to restrict access by tokens, which although may have the correct
scope, have been issued to the incorrect or otherwise unknown client?

Simon.

On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez <pablo.fernandez at cscs.ch>
wrote:

> Dear Keycloakers,
>
> I am (almost) new to Keycloak and having trouble, and I thought I should
> ask you after exhausting other options, so here I am.
>
> What I would like to find is a way to confine certain web apps (with a
> registered client in Keycloak) from accessing any other client that is
> not supposed to. Specifically, I have an oidc client named 'keystone'
> that handles all OpenStack authentication and another oidc client
> 'simplewebapp' that is a webapp that I want to give access to 'keystone'
> while NOT giving access to any of the other clients (e.g. account,
> admin-cli, broker, etc.)
>
> Is there a way to do this?
>
> I thought about Scopes, but I see they are basically linked to Roles
> that I think have nothing to do with what I am doing (I tried, though
> creating new roles but it seems to me they don't prevent anything from
> happening). If I have to use Scopes, then how? Is there a Role that I
> can use to deny - or exclusively grant - access to another client? I
> also tried changing the Default Policy in 'keystone' Authorization tab
> to something like this (the opposite of what I wanted to do, to make it
> fail and see if I can use this mechanism), without success:
>
> ---
> // by default, grants any permission associated with this policy
> //$evaluation.grant();
> var context = $evaluation.getContext();
> var contextAttributes = context.getAttributes();
> if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) {
>     $evaluation.deny();
> }
> $evaluation.grant();
> ---
>
> I googled and browsed and tried many different setting combinations
> without success, so I hope someone here could give me a hint.
>
> Thanks!
> Pablo Fernandez
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list