Hi Stian,
Thanks for your quick reply. In further researching the issue I’ve just found that there
is already functionality in Gatekeeper that does exactly what I was trying to implement.
The option `—match-claims` allows for specifying only a specific user that is allowed
access in the following way (for my use-case):
`—match-claims=‘preferred_username=someusername’`.
Hope this helps anyone looking for this in the future.
Best regards,
Niels
On 30 Oct 2019, at 12:57, Stian Thorgersen
<sthorger(a)redhat.com> wrote:
Permitting individual users is not a good practice for several reasons and is not
something we should add to the Gatekeeper.
By allowing a specific user there is no way to limit access in different tokens, which
means that any token issued to the user will give access. This is very contradictory to
the whole OAuth/OIDC paradigm where you have scoped tokens.
Further, it's hard to manage access for individual users in such a way. Imagine the
user should not have the access anymore. Now you have to update config for Gatekeeper
instead of removing the role from the user. It is also not much overhead to add a role or
a group for a user.
On Wed, 30 Oct 2019 at 11:00, Niels Denissen <nielsdenissen(a)gmail.com
<mailto:nielsdenissen@gmail.com>> wrote:
Hi,
In a project I’m working on we need to restrict access to a certain resource (URL) to a
single person only. We’re using keycloak-gatekeeper in front of this resource to restrict
access.
As far as I understand, in order to achieve this in the current architecture, this would
involve creating a new group for each separate user and in keycloak-gatekeeper add this
group to the list of allowed groups for this resource.
As this involves creating a group for each user (lots of overhead), I envisioned a new
filter in the keycloak-gatekeeper project for resources based on `AllowedUsers` (next to
the existing ones for e.g. roles and groups). This would allow us to specify for any given
resource, the user that is allowed access to it specifically. I’ve created some initial
code for this in a fork
(
https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714...
<
https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714...
<
https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714...
<
https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714...)
and am looking for some feedback of the community to see if I missed any other way to
solve this problem and whether such a feature seems interesting to others as well.
Any help is appreciated!
Thanks,
Niels
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<
https://lists.jboss.org/mailman/listinfo/keycloak-dev>