I've added support for Dynamic client registration policies to the master.
Summary of changes:
* Admin console tab "Initial Access Tokens" was renamed to "Client
Registrations" . It has 2 subtabs now "Initial Access Tokens" and
"Client Registration Policies" .
* Previous "Trusted hosts" stuff was renamed from UI (still need to do
some model cleanup...)
* Client Registration Policies tab exposes the configured client
registration policies for the realm. I've added new
ClientRegistrationPolicy SPI based on generic component model.
* There are 2 kinds of client registration policies.
** Authenticated - Those are used when clientRegistration request with
initial-access-token or with bearer-token comes.
** Anonymous - Those are used when clientRegistration request without
initial-access-token or without bearer-token comes. Also it's used for
update requests with registrationToken for clients, which were
registered through anonymous registration.
* Implementations of clientRegistrationPolicies:
** TrustedHostClientRegistrationPolicy - Allows to configure trusted
hosts (by IP Address or by hostname) and domains. ClientRegistration
request needs to come from some trusted host or domain, otherwise it's
rejected. Also all the client uris (redirect_uris etc) needs to match
some trusted host or domain. By default there is not any trusted host
configured. Hence anonymous clientRegistrations, which uses this policy
by default, are always rejected by default unless you specify some
trusted host.
** ConsentRequiredClientRegistrationPolicy - newly registered clients
will automatically have consentRequired enabled. Also it's not possible
to update them to switch consentRequired to off.
** ScopeClientRegistrationPolicy - newly registered clients will
automatically have fullScopeAllowed disabled. Also it's not possible to
update them to switch fullScopeAllowed to on.
** ProtocolMapperClientRegistrationPolicy - newly registered clients
can't use any protocolMapper implementations besides those, which are
whitelisted. By default, the whitelisted includes few types, mostly
those which we already as builtin mappers (User Property Mapper, USer
Attribute Mapper, Full name mapper etc)
** ClientTemplateClientRegistrationPolicy - newly registered or updated
clients can't have any clientTemplate, which is not whitelisted. By
default, there is not any whitelisted clientTemplate
* Authenticated policies - There are 2 policies by default. One for
protocol mappers and one for clientTemplate.
* Anonymous policies - Contains all 5 policies configured. In other
words, newly registered clients need to come from trusted hosts, have
fullScopeAllowed disabled and consentRequired enabled and can't have
non-whitelisted protocolMappers and clientTemplates.
* Some generic changes:
** Added 2 types of ProviderConfigProperty
*** MultivaluedString - allows to specify more string values of some
attribute. Something like redirectUris or webOrigins for client.
*** MultivaluedList - allows to specify more string values, which needs
to be selected from the list of pre-defined allowed values. Something
like "requiredActions" for user.
** Added field "subType" to ComponentModel. This is because for
clientRegistrationPolicies, I have 2 kinds of policies with same type
and same parentId (same realm), but I still need to differentiate
between them.
Remaining TODOs (maybe some more based on feedback) :
* It seems I broke Wildfly distribution. I will fix ASAP today.
* I've just created KEYCLOAK-3712 Client Registration limitations - In
shortcut, our default implementations of ClientRegistrationProvider
doesn't allow to CRUD client roles, scope mappings, service account
roles or authorization settings of client. It also doesn't allow to
update of protocolMappers. Not sure if we need to address this for this
release? If yes, then Scope policy should be enhanced to also support
whitelisting of scoped roles.
* Some cleanup (logging messages, cleanup of infinispan model for
previous "trusted hosts" thing)
* Docs
Marek
Show replies by date