Re: [keycloak-user] Restrict access to a client to a subset of Keycloak users
I can think of some workarounds. Like for example, create an
Authenticator, which will be added to the bottom of the authentication
flow. Authenticator will throw an exception in case that unpermitted
user is trying to authenticate to the client corresponding to your
openshift application. You have the user available (he is already
authenticated) and you have also the client (can be determined based on
clientId).
Maybe even easier is to do that in custom RequiredActionProvider and do
this check in "evaluateTriggers".
This is workaround as it mixes authentication and authorization (among
other issues). But hopefully it can suit your needs.
Marek
On 23/02/17 07:19, Shane Boulden wrote:
Hi everyone,
I'm trying to figure out a fairly straight-forward problem set -
- I have a number of users in a Keycloak database, federated from an
LDAP provider with a READ_ONLY policy (ie; I can't "disable" the
users)
- I want to limit access to a client to only certain Keycloak users
I thought this would be possible with a role that is shared by the client
and the user. However, it looks like Keycloak lets the application itself
determine access via a role: http://lists.jboss.org/
pipermail/keycloak-user/2014-November/001205.html
But what if I can't update the application's behaviour? Eg; if I want to
integrate Keycloak with OpenShift, and OpenShift doesn't consume any
information from the OIDC provider?
In this particular example, I don't want to limit the users in the Keycloak
database - I want to sync all users from LDAP, but limit application access
to only a subset.
Any assistance is greatly appreciated.
Shane
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user