[keycloak-user] Restrict access from web app client

Pablo Fernandez pablo.fernandez at cscs.ch
Thu Aug 17 02:36:28 EDT 2017 

Dear Simon,

Thanks for your reply.

I am not quite sure your proposal would work in our case (or maybe I
don't understand it): do you mean that the client will ask for a
specific audience to be put inside the token, and that the other service
providers would have to check that the claim is targeted against the
right audience? That creates a big overhead if you have many SPs, which
we do. And anyway, how can you limit a certain client to be issued token
of a certain audience within Keycloak? And furthermore, how can I limit
the access to the /accounts API on Keycloak for a token given to certain
clients?

It would be great to have a mechanism inside Keycloak to limit the
scopes of the various clients directly, without extra work on the
clients or the SPs. Am I assuming something that is wrong? What is the
Authorization tab (and/or the Scopes one) for?

Thanks a lot again,
BR/Pablo


On 16/08/17 15:20, Simon Payne wrote:
> Pablo,
>
> i'm not sure whether this will be your solution directly, but i found out
> recently that the 'aud' claim in the token is to represent the audience.
> Now, when i used the spring-security-oauth client library i found that it
> validated the resourceId against this aud claim.
>
> i thought it an unnecessary constraint at the time, but maybe it could be
> used to restrict access by tokens, which although may have the correct
> scope, have been issued to the incorrect or otherwise unknown client?
>
> Simon.
>
> On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez <pablo.fernandez at cscs.ch>
> wrote:
>
>> Dear Keycloakers,
>>
>> I am (almost) new to Keycloak and having trouble, and I thought I should
>> ask you after exhausting other options, so here I am.
>>
>> What I would like to find is a way to confine certain web apps (with a
>> registered client in Keycloak) from accessing any other client that is
>> not supposed to. Specifically, I have an oidc client named 'keystone'
>> that handles all OpenStack authentication and another oidc client
>> 'simplewebapp' that is a webapp that I want to give access to 'keystone'
>> while NOT giving access to any of the other clients (e.g. account,
>> admin-cli, broker, etc.)
>>
>> Is there a way to do this?
>>
>> I thought about Scopes, but I see they are basically linked to Roles
>> that I think have nothing to do with what I am doing (I tried, though
>> creating new roles but it seems to me they don't prevent anything from
>> happening). If I have to use Scopes, then how? Is there a Role that I
>> can use to deny - or exclusively grant - access to another client? I
>> also tried changing the Default Policy in 'keystone' Authorization tab
>> to something like this (the opposite of what I wanted to do, to make it
>> fail and see if I can use this mechanism), without success:
>>
>> ---
>> // by default, grants any permission associated with this policy
>> //$evaluation.grant();
>> var context = $evaluation.getContext();
>> var contextAttributes = context.getAttributes();
>> if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) {
>>     $evaluation.deny();
>> }
>> $evaluation.grant();
>> ---
>>
>> I googled and browsed and tried many different setting combinations
>> without success, so I hope someone here could give me a hint.
>>
>> Thanks!
>> Pablo Fernandez
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list