[keycloak-user] Give access to his account to a client
François Gourrier
francois.gourrier at libre-logic.fr
Fri Mar 8 05:12:29 EST 2019
Hello Michal,
Thank you for your answer which actually seems to be a very good track of resolution !
The version I'm using is 4.8, I'm going to deploy the last one.
Best regards,
François
De: "Michal Hajas" <mhajas at redhat.com>
À: "Francois Gourrier" <francois.gourrier at libre-logic.fr>
Cc: keycloak-user at lists.jboss.org
Envoyé: Vendredi 8 Mars 2019 10:55:56
Objet: Re: [keycloak-user] Give access to his account to a client
Hi Francois,
first of all, please make sure you are using the latest version of Keycloak. In upstream there was recently a bugfix [1] which may relate to your issue.
I tried to follow your steps and it worked for me, so please check that group policy is correctly assigned to manage permission in Permissions tab and also check whether user really belongs to admin group.
If you are sure that everything is set correctly and you are still not able to make it work, feel free to send me your realm exported to json and I can look at it. [2]
My settings:
I created client1 & client2 and user1 & user2 (passwords: pass).
- User1 is able to manage client1 because he is part of admin group and Client1 has configured admin-group-membership policy.
- User2 is able to manage Client1 because he is also part of admin-group and Client2 because it is configured with User policy which permits User2 to manage it.
Best regards,
Michal Hajas
[1] https://issues.jboss.org/browse/KEYCLOAK-9489
[2] https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import
On Thu, Mar 7, 2019 at 6:09 PM François Gourrier < francois.gourrier at libre-logic.fr > wrote:
Hello everyone,
i find the anwser by myself to my question.
I followed the instructions given for "fine grained permissions" here: https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
But I do not have the expected result.
Here is my configuration :
- I created a group "admin" and gave it the role "query-client" on the client "realm-management" of the kingdom concerned
- For the client "Test" for which I wish to give access (for management) to a dedicated user, I created a policy with the right to manage for the group concerned "admin", via the "permissions" tab.
- I added the relevant user "Test" in this group "admin.
And the result is: "Forbidden.You do not have access to the requested resource" ...
If I add the role "view-ream" to the group "admin" on the client "realm-management" of the kingdom concerned, it's OK, but the user "test" also reads the whole configuration of the kingdom, which is not desirable.
Did I miss something?
thank you in advance
----- Mail original -----
De: "Francois Gourrier" < francois.gourrier at libre-logic.fr >
À: keycloak-user at lists.jboss.org
Envoyé: Mercredi 27 Février 2019 15:59:33
Objet: [keycloak-user] Give access to his account to a client
Hello everyone,
we are currently using keycloak. We created several clients on a realm. To simplify the management of URIs, we would like to give the management of his account to each client.
T he REST API allows to modify the account but it is not necessary that a customer can go to see the configuration of the other customers, which is nevertheless possible if he has the rights of access to the service (unless one can restrict access to a client).
Another track would be that a customer connects to his account via the back office.
A track to meet the need?
Thank you in advance.
François GOURRIER
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list