6:42 a.m.
Thanks Dmitry for quick response.
I have raised [KEYCLOAK-7753] Need view/manage realm access for creating identity provider
- JBoss Issue Tracker for the same.
|
|
| |
[KEYCLOAK-7753] Need view/manage realm access for creating identity prov...
|
|
|
Agree with you that disabling in Admin console ui, will not be a great idea, is there
any standard practice /documentation for selectively restricting rest apis?As far as i
read the documentation, the recommendation seems to be to customize rest endpoints are not
deploy them at all..
On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt(a)acutus.pro> wrote:
Madhu,
I think that initially this was supposed to work without "manage-realm" role. If
you grant a user "manage-identity-providers" role only, you'll see a perfect
picture in the GUI: just the "Identity providers" section, and nothing more.
However if you try to actually add a provider, you'll get a 403 Forbidden upon a
request to /auth/admin/realms/$REALM/authentication/flows endpoint.
To render the identity provider creation form, the GUI indeed needs to retrieve a list of
authentication flows for the realm. Unfortunately, in the REST resource it is hardcoded
that the user needs to be checked for "view-realm" role (see
org.keycloak.services.resources.admin.AuthenticationManagementResource::getFlows).
I think this is a perfect candidate for RFE, since "view-realm" is indeed too
wide for the flows endpoint. I'd suggest that the restriction be changed to
"view-realm OR manage-identity-providers". You can create a JIRA issue for that,
and at the moment resort to one of the workarounds:-
fix AuthenticationManagementResource::getFlows yourself and recompile Keycloak (easier to
do, but harder to maintain);- create a custom REST endpoint for flows with relaxed
permissions, then create a custom GUI theme to use that endpoint instead of the standard
one.
Please note that granting manage-realm + manage-identity-providers and tweaking the GUI
theme to exclude unwanted elements is generally a bad idea, since a rogue user will still
be able to directly invoke REST endpoints to do some nasty stuff.
I'm not sure if authorization / fine-grained permissions are relevant here, but
let's see what Pedro Igor says on that.
Cheers,Dmitry TeleginCTO, Acutus s.r.o.Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+ 42 (022)
888-30-71E-mail: info@acutus.pro
On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
Hi ,I want to disable client, Realm management, Authentication and Roles and want to
create a user who will be able to provide only Identity provider/broker integration.I
understand user needs to be in manage-identity-providers and manage-realm for doing this
activity. But with manage realm user also has access to role creation,authenciation and
realm setting tabs. Any way to disable these, without going for customized themes or
changing the FTL?I am looking for authorization model based
solution.Regards,Madhu_______________________________________________keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user