Just bear in mind what I said about the fact that you are basically
allowing any tokens issues to any clients access to your restricted
resource.
On Wed, 30 Oct 2019 at 14:11, Niels Denissen <nielsdenissen(a)gmail.com>
wrote:
Hi Stian,
Thanks for your quick reply. In further researching the issue I’ve just
found that there is already functionality in Gatekeeper that does exactly
what I was trying to implement.
The option `—match-claims` allows for specifying only a specific user that
is allowed access in the following way (for my use-case):
`—match-claims=‘preferred_username=someusername’`.
Hope this helps anyone looking for this in the future.
Best regards,
Niels
On 30 Oct 2019, at 12:57, Stian Thorgersen <sthorger(a)redhat.com> wrote:
Permitting individual users is not a good practice for several reasons and
is not something we should add to the Gatekeeper.
By allowing a specific user there is no way to limit access in different
tokens, which means that any token issued to the user will give access.
This is very contradictory to the whole OAuth/OIDC paradigm where you have
scoped tokens.
Further, it's hard to manage access for individual users in such a way.
Imagine the user should not have the access anymore. Now you have to update
config for Gatekeeper instead of removing the role from the user. It is
also not much overhead to add a role or a group for a user.
On Wed, 30 Oct 2019 at 11:00, Niels Denissen <nielsdenissen(a)gmail.com>
wrote:
> Hi,
>
> In a project I’m working on we need to restrict access to a certain
> resource (URL) to a single person only. We’re using keycloak-gatekeeper in
> front of this resource to restrict access.
> As far as I understand, in order to achieve this in the current
> architecture, this would involve creating a new group for each separate
> user and in keycloak-gatekeeper add this group to the list of allowed
> groups for this resource.
> As this involves creating a group for each user (lots of overhead), I
> envisioned a new filter in the keycloak-gatekeeper project for resources
> based on `AllowedUsers` (next to the existing ones for e.g. roles and
> groups). This would allow us to specify for any given resource, the user
> that is allowed access to it specifically. I’ve created some initial code
> for this in a fork (
>
https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714...
> <
>
https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714...>)
> and am looking for some feedback of the community to see if I missed any
> other way to solve this problem and whether such a feature seems
> interesting to others as well.
>
> Any help is appreciated!
>
> Thanks,
> Niels
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev