Groups/Roles/Clients best practices
by Rashiq
Hi all,
first a little introduction. I am currently tasked with deploying Keycloak as
an SSO solution for a middle-sized NGO. Keycloak seems like a perfect solution
for us, with capabilities to scale and support more elaborate set-ups as we
grow and new needs arise.
We will have a few thousand users in there, with varying access levels to
different tools we use. And we need to make our setup as simple as possible
(so that it's manageable) -- but not simpler.
We are also going to have several clients -- software that we want to
authenticate against our Keycloak instance. Each of these will have certain
resources available only to certain groups of users. For example, a discussion
forum might have certain topics locked and available only to certain groups;
or a data storage solution might have a certain set of data only available to
a certain group of users.
Now, most of the time, if a user is a member of a particular group, they get
access to all resources locked to this particular group in each of these
clients. However, we do have use-cases where a user should have access to a
group-locked resource in client A, but not in client B (while keeping access
to the more generally available resources in both clients).
This gets complicated fast, and we'd like to ask if there are any best
practices we could look into and follow?
Right now my thinking is to have client roles related to each of the sets of
locked-down resources; then a realm-wide composite role getting all of the
client roles together for easier management of the most common use-case; then
a group to easily manage users who get the composite realm role (and thus, all
the client roles).
This way we could manage the most common use-case easily, but if there's a
user who should have access only to the particular locked-down resources in
*some* of the clients, we can also grant these more granularly. The actual
software that authenticates/authorizes against Keycloak would only have to
look for the client role, and wouldn't have to care about the realm role or
the group, or anything else.
Does this make sense? Perhaps we're missing some obvious solution, or perhaps
we're making some wrong assumptions somewhere.
Any suggestions much appreciated!
--
Pozdravi,
rashiq
7 years, 4 months
Issue with Client Role Mapping on Keycloak 2.4.0 when integrating with ApacheDS
by Sumit Das
Hi
I am trying to create a mapper named *"Client-Role-Mapper"* of type
*"role-ldap-mapper"* for a specified client *"Test Application"* that is
present in my Realm. The Client role *(cn=Test_User)* is already present on
my ApacheDS ldap server on a *DN: ou=TestRoles,dc=keycloak,dc=org*. But on
the *"Client ID" dropdown list, none of my clients are being shown*. The *only
option* that is displayed is *"Select one"*.
I am not able to solve this issue. Your earliest response is appreciated.
Regards
--
*Sumit Das*
*Mobile No.- +91-9986872466 *
7 years, 4 months
Multi Tenant Keycloak Scale
by Raanan Gonen
Hi,
We are using Keycloak 1.7 for multi tenant environment where each tenant is a realm.
We have a cluster of 4 Keycloak servers and we see severe performance degradation when we are using about 200 Realms with 200 users each.
Is that the expected behavior of Keycloak?
Are there known issues with such an amount of realms in Keycloak 1.7?
What should we do to be able to work with much more realms (we need about 2000)?
Thanks,
Raanan
7 years, 4 months
Check ownership of resource with keycloak Authorization
by Richard van Duijn
I'm investigating the possibility of securing my application with keycloak
using both Authentication and Authorization.
I was wondering if I can check ownership of a resource (i.e. a picture in a
database) with keycloak policies.
I see there is an example in the documentation using a Drools Policy which
checks the ownership of the resource, but that is limited to the client
being the owner of the resource.
What i'd like to accomplish is to see if userA has access to documentA. Can
the drools engine query a database to fetch the required dataField or is
there another approach for this to be done?
Thanks for any pointers...
/Richard
7 years, 4 months
Spring boot and spring security adapters
by Brian Schwartz
I'm using keycloak 2.3.0.final spring boot and spring security adapters.
The spring security adapter requires a keycloak.json file to be in web-inf
but i don't have that or web.xml. How do I change where the keycloak
adapter looks for keycloak.json?
7 years, 4 months
Password policy not enforced?
by Byte Flinger
I have setup keycloak with the default realm and an openldap server.
I have then set a certain password policy and set an action on the user's
that they need to change password when they login the next time however
when they login and change their passwords they are able to set a password
which does not comply with the password policy.
Anybodu ran into this issue? Is this a known bug maybe?
7 years, 4 months
Spring Security Adapter - setting properties vs keycloak.json
by Matt H
When using the Spring Security Adapter, is it possible to set properties for the values and not use the keycloak.json file? Having the credentials.secret value stored in clear text is not an option for me. I already have a way to encrypt values and read them in my application, I just need to decrypt this value and set it. The only alternative I have is to dynamically generate the keycloak.json file at the start of my app, then set the property keycloak.configurationFile with this location.
Also, when reading the Securing Applications and Services guide, it states that the value for realm-public-key is OPTIONAL and should not be set since Keycloak rotates keys. However if the value is set, the adapter will not download the key. This seems like a good idea, but having keycloak generate the json file with this value seems bad. Most clients would just take the file that is generated by the keycloak UI then add it to their application without knowing this.
Matt
7 years, 5 months
