8:44 a.m.
Team
I am having issue in keycloak ha with mysql . So I have configure 2 keycloak docker
instance and ne mysql instance.
And created admin user from adduser script in keyclaok on both the instance . So when I
create Realm on once instance its not reflect on another until I restart the another one.
But when I delete the Realm its deleted on both on real time .
Could any one help me on this its lil urgent.
Regards
Abhinav D
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Pablo Fernandez
Sent: Thursday, August 17, 2017 12:06 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Restrict access from web app client
Dear Simon,
Thanks for your reply.
I am not quite sure your proposal would work in our case (or maybe I don't understand
it): do you mean that the client will ask for a specific audience to be put inside the
token, and that the other service providers would have to check that the claim is targeted
against the right audience? That creates a big overhead if you have many SPs, which we do.
And anyway, how can you limit a certain client to be issued token of a certain audience
within Keycloak? And furthermore, how can I limit the access to the /accounts API on
Keycloak for a token given to certain clients?
It would be great to have a mechanism inside Keycloak to limit the scopes of the various
clients directly, without extra work on the clients or the SPs. Am I assuming something
that is wrong? What is the Authorization tab (and/or the Scopes one) for?
Thanks a lot again,
BR/Pablo
On 16/08/17 15:20, Simon Payne wrote:
Pablo,
i'm not sure whether this will be your solution directly, but i found
out recently that the 'aud' claim in the token is to represent the audience.
Now, when i used the spring-security-oauth client library i found that
it validated the resourceId against this aud claim.
i thought it an unnecessary constraint at the time, but maybe it could
be used to restrict access by tokens, which although may have the
correct scope, have been issued to the incorrect or otherwise unknown client?
Simon.
On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez
<pablo.fernandez(a)cscs.ch>
wrote:
> Dear Keycloakers,
>
> I am (almost) new to Keycloak and having trouble, and I thought I
> should ask you after exhausting other options, so here I am.
>
> What I would like to find is a way to confine certain web apps (with
> a registered client in Keycloak) from accessing any other client that
> is not supposed to. Specifically, I have an oidc client named 'keystone'
> that handles all OpenStack authentication and another oidc client
> 'simplewebapp' that is a webapp that I want to give access to
'keystone'
> while NOT giving access to any of the other clients (e.g. account,
> admin-cli, broker, etc.)
>
> Is there a way to do this?
>
> I thought about Scopes, but I see they are basically linked to Roles
> that I think have nothing to do with what I am doing (I tried, though
> creating new roles but it seems to me they don't prevent anything
> from happening). If I have to use Scopes, then how? Is there a Role
> that I can use to deny - or exclusively grant - access to another
> client? I also tried changing the Default Policy in 'keystone'
> Authorization tab to something like this (the opposite of what I
> wanted to do, to make it fail and see if I can use this mechanism), without success:
>
> ---
> // by default, grants any permission associated with this policy
> //$evaluation.grant(); var context = $evaluation.getContext(); var
> contextAttributes = context.getAttributes(); if
> (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) {
> $evaluation.deny();
> }
> $evaluation.grant();
> ---
>
> I googled and browsed and tried many different setting combinations
> without success, so I hope someone here could give me a hint.
>
> Thanks!
> Pablo Fernandez
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user