[keycloak-user] Enabling Identity provider alone
Madhu
kkcmadhu at yahoo.com
Mon Jul 2 07:42:34 EDT 2018
Thanks Dmitry for quick response.
I have raised [KEYCLOAK-7753] Need view/manage realm access for creating identity provider - JBoss Issue Tracker for the same.
|
|
| |
[KEYCLOAK-7753] Need view/manage realm access for creating identity prov...
|
|
|
Agree with you that disabling in Admin console ui, will not be a great idea, is there any standard practice /documentation for selectively restricting rest apis?As far as i read the documentation, the recommendation seems to be to customize rest endpoints are not deploy them at all..
On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt at acutus.pro> wrote:
Madhu,
I think that initially this was supposed to work without "manage-realm" role. If you grant a user "manage-identity-providers" role only, you'll see a perfect picture in the GUI: just the "Identity providers" section, and nothing more. However if you try to actually add a provider, you'll get a 403 Forbidden upon a request to /auth/admin/realms/$REALM/authentication/flows endpoint.
To render the identity provider creation form, the GUI indeed needs to retrieve a list of authentication flows for the realm. Unfortunately, in the REST resource it is hardcoded that the user needs to be checked for "view-realm" role (see org.keycloak.services.resources.admin.AuthenticationManagementResource::getFlows).
I think this is a perfect candidate for RFE, since "view-realm" is indeed too wide for the flows endpoint. I'd suggest that the restriction be changed to "view-realm OR manage-identity-providers". You can create a JIRA issue for that, and at the moment resort to one of the workarounds:- fix AuthenticationManagementResource::getFlows yourself and recompile Keycloak (easier to do, but harder to maintain);- create a custom REST endpoint for flows with relaxed permissions, then create a custom GUI theme to use that endpoint instead of the standard one.
Please note that granting manage-realm + manage-identity-providers and tweaking the GUI theme to exclude unwanted elements is generally a bad idea, since a rogue user will still be able to directly invoke REST endpoints to do some nasty stuff.
I'm not sure if authorization / fine-grained permissions are relevant here, but let's see what Pedro Igor says on that.
Cheers,Dmitry TeleginCTO, Acutus s.r.o.Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+ 42 (022) 888-30-71E-mail: info at acutus.pro
On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
Hi ,I want to disable client, Realm management, Authentication and Roles and want to create a user who will be able to provide only Identity provider/broker integration.I understand user needs to be in manage-identity-providers and manage-realm for doing this activity. But with manage realm user also has access to role creation,authenciation and realm setting tabs. Any way to disable these, without going for customized themes or changing the FTL?I am looking for authorization model based solution.Regards,Madhu_______________________________________________keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list