Re: [keycloak-user] Enabling Identity provider alone

Madhu, I think that initially this was supposed to work without "manage-realm" role. If you grant a user "manage-identity-providers" role only, you'll see a perfect picture in the GUI: just the "Identity providers" section, and nothing more. However if you try to actually add a provider, you'll get a 403 Forbidden upon a request to /auth/admin/realms/$REALM/authentication/flows endpoint. To render the identity provider creation form, the GUI indeed needs to retrieve a list of authentication flows for the realm. Unfortunately, in the REST resource it is hardcoded that the user needs to be checked for "view-realm" role (see org.keycloak.services.resources.admin.AuthenticationManagementResource: :getFlows). I think this is a perfect candidate for RFE, since "view-realm" is indeed too wide for the flows endpoint. I'd suggest that the restriction be changed to "view-realm OR manage-identity-providers". You can create a JIRA issue for that, and at the moment resort to one of the workarounds:- fix AuthenticationManagementResource::getFlows yourself and recompile Keycloak (easier to do, but harder to maintain);- create a custom REST endpoint for flows with relaxed permissions, then create a custom GUI theme to use that endpoint instead of the standard one. Please note that granting manage-realm + manage-identity-providers and tweaking the GUI theme to exclude unwanted elements is generally a bad idea, since a rogue user will still be able to directly invoke REST endpoints to do some nasty stuff. I'm not sure if authorization / fine-grained permissions are relevant here, but let's see what Pedro Igor says on that. Cheers,Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic + 42 (022) 888-30-71 E-mail: info@acutus.pro On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote: