[keycloak-user] Restrict access to a client to a subset of Keycloak users

Shane Boulden shane.boulden at gmail.com
Thu Feb 23 13:16:11 EST 2017


Thanks very much Marek and Thomas for taking the time to get back to me.

I've found an example of a JS authenticator here:

http://www.lookatsrc.com/source/scripts/authenticator-template.js?a=org.keycloak:keycloak-services

Is this how I would build the custom authenticator, and extend it to check
the user roles and clientID?

Thanks

Shane

On 24 Feb. 2017 01:25, "Thomas Darimont" <thomas.darimont at googlemail.com>
wrote:

> Hello Shane,
>
> you could try to do that with the Javascript based Authenticator.
>
> Cheers,
> Thomas
>
> 2017-02-23 14:07 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
>
>> I can think of some workarounds. Like for example, create an
>> Authenticator, which will be added to the bottom of the authentication
>> flow. Authenticator will throw an exception in case that unpermitted
>> user is trying to authenticate to the client corresponding to your
>> openshift application. You have the user available (he is already
>> authenticated) and you have also the client (can be determined based on
>> clientId).
>>
>> Maybe even easier is to do that in custom RequiredActionProvider and do
>> this check in "evaluateTriggers".
>>
>> This is workaround as it mixes authentication and authorization (among
>> other issues). But hopefully it can suit your needs.
>>
>> Marek
>>
>> On 23/02/17 07:19, Shane Boulden wrote:
>> > Hi everyone,
>> >
>> > I'm trying to figure out a fairly straight-forward problem set -
>> >
>> >     - I have a number of users in a Keycloak database, federated from an
>> >     LDAP provider with a READ_ONLY policy (ie; I can't "disable" the
>> users)
>> >     - I want to limit access to a client to only certain Keycloak users
>> >
>> > I thought this would be possible with a role that is shared by the
>> client
>> > and the user. However, it looks like Keycloak lets the application
>> itself
>> > determine access via a role: http://lists.jboss.org/
>> > pipermail/keycloak-user/2014-November/001205.html
>> >
>> > But what if I can't update the application's behaviour? Eg; if I want to
>> > integrate Keycloak with OpenShift, and OpenShift doesn't consume any
>> > information from the OIDC provider?
>> >
>> > In this particular example, I don't want to limit the users in the
>> Keycloak
>> > database - I want to sync all users from LDAP, but limit application
>> access
>> > to only a subset.
>> >
>> > Any assistance is greatly appreciated.
>> >
>> > Shane
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list