2:19 a.m.
Hi ,
I want to disable client, Realm management, Authentication and Roles and want to create a
user who will be able to provide only Identity provider/broker integration.
I understand user needs to be in manage-identity-providers and manage-realm for doing
this activity. But with manage realm user also has access to role creation,authenciation
and realm setting tabs. Any way to disable these, without going for customized themes or
changing the FTL?
I am looking for authorization model based solution.
Regards,Madhu
5:38 a.m.
Madhu,
I think that initially this was supposed to work without "manage-realm"
role. If you grant a user "manage-identity-providers" role only, you'll
see a perfect picture in the GUI: just the "Identity providers"
section, and nothing more. However if you try to actually add a
provider, you'll get a 403 Forbidden upon a request to
/auth/admin/realms/$REALM/authentication/flows endpoint.
To render the identity provider creation form, the GUI indeed needs to
retrieve a list of authentication flows for the realm. Unfortunately,
in the REST resource it is hardcoded that the user needs to be checked
for "view-realm" role (see
org.keycloak.services.resources.admin.AuthenticationManagementResource:
:getFlows).
I think this is a perfect candidate for RFE, since "view-realm" is
indeed too wide for the flows endpoint. I'd suggest that the
restriction be changed to "view-realm OR manage-identity-providers".
You can create a JIRA issue for that, and at the moment resort to one
of the workarounds:- fix AuthenticationManagementResource::getFlows
yourself and recompile Keycloak (easier to do, but harder to
maintain);- create a custom REST endpoint for flows with relaxed
permissions, then create a custom GUI theme to use that endpoint
instead of the standard one.
Please note that granting manage-realm + manage-identity-providers and
tweaking the GUI theme to exclude unwanted elements is generally a bad
idea, since a rogue user will still be able to directly invoke REST
endpoints to do some nasty stuff.
I'm not sure if authorization / fine-grained permissions are relevant
here, but let's see what Pedro Igor says on that.
Cheers,Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail: info@acutus.pro
On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
Hi ,
I want to disable client, Realm management, Authentication and Roles
and want to create a user who will be able to provide only Identity
provider/broker integration.
I understand user needs to be in manage-identity-providers and
manage-realm for doing this activity. But with manage realm user also
has access to role creation,authenciation and realm setting tabs. Any
way to disable these, without going for customized themes or changing
the FTL?
I am looking for authorization model based solution.
Regards,Madhu
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:42 a.m.
Thanks Dmitry for quick response.
I have raised [KEYCLOAK-7753] Need view/manage realm access for creating identity provider
- JBoss Issue Tracker for the same.
|
|
| |
[KEYCLOAK-7753] Need view/manage realm access for creating identity prov...
|
|
|
Agree with you that disabling in Admin console ui, will not be a great idea, is there
any standard practice /documentation for selectively restricting rest apis?As far as i
read the documentation, the recommendation seems to be to customize rest endpoints are not
deploy them at all..
On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt(a)acutus.pro> wrote:
Madhu,
I think that initially this was supposed to work without "manage-realm" role. If
you grant a user "manage-identity-providers" role only, you'll see a perfect
picture in the GUI: just the "Identity providers" section, and nothing more.
However if you try to actually add a provider, you'll get a 403 Forbidden upon a
request to /auth/admin/realms/$REALM/authentication/flows endpoint.
To render the identity provider creation form, the GUI indeed needs to retrieve a list of
authentication flows for the realm. Unfortunately, in the REST resource it is hardcoded
that the user needs to be checked for "view-realm" role (see
org.keycloak.services.resources.admin.AuthenticationManagementResource::getFlows).
I think this is a perfect candidate for RFE, since "view-realm" is indeed too
wide for the flows endpoint. I'd suggest that the restriction be changed to
"view-realm OR manage-identity-providers". You can create a JIRA issue for that,
and at the moment resort to one of the workarounds:-
fix AuthenticationManagementResource::getFlows yourself and recompile Keycloak (easier to
do, but harder to maintain);- create a custom REST endpoint for flows with relaxed
permissions, then create a custom GUI theme to use that endpoint instead of the standard
one.
Please note that granting manage-realm + manage-identity-providers and tweaking the GUI
theme to exclude unwanted elements is generally a bad idea, since a rogue user will still
be able to directly invoke REST endpoints to do some nasty stuff.
I'm not sure if authorization / fine-grained permissions are relevant here, but
let's see what Pedro Igor says on that.
Cheers,Dmitry TeleginCTO, Acutus s.r.o.Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+ 42 (022)
888-30-71E-mail: info@acutus.pro
On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
Hi ,I want to disable client, Realm management, Authentication and Roles and want to
create a user who will be able to provide only Identity provider/broker integration.I
understand user needs to be in manage-identity-providers and manage-realm for doing this
activity. But with manage realm user also has access to role creation,authenciation and
realm setting tabs. Any way to disable these, without going for customized themes or
changing the FTL?I am looking for authorization model based
solution.Regards,Madhu_______________________________________________keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
3:49 p.m.
Hi Madhu,
On Mon, 2018-07-02 at 11:42 +0000, Madhu wrote:
Agree with you that disabling in Admin console ui, will not be a
great idea, is there any standard practice /documentation for
selectively restricting rest apis?
Not that I know of unfortunately. Access control to most APIs is role-
based, and the only way to restrict access is to not to grant
particular role to a user.
I was thinking about enabling authorization on security-admin-console
client, but my straightforward attempt failed - simply turning on
authorization results in an infinite loop and tons of 500 Internal
Server Errors. Our authorization guru is Pedro Igor Silva, I hope he
sheds some light on the situation.
As far as i read the documentation, the recommendation seems to be
to
customize rest endpoints are not deploy them at all..
Not sure if I got it right ("not to deploy them at all"), could you
point to the docs please?
Dmitry
On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt(a)acutus.pr
o> wrote:
Madhu,
I think that initially this was supposed to work without "manage-
realm" role. If you grant a user "manage-identity-providers" role
only, you'll see a perfect picture in the GUI: just the "Identity
providers" section, and nothing more. However if you try to actually
add a provider, you'll get a 403 Forbidden upon a request to
/auth/admin/realms/$REALM/authentication/flows endpoint.
To render the identity provider creation form, the GUI indeed needs
to retrieve a list of authentication flows for the realm.
Unfortunately, in the REST resource it is hardcoded that the user
needs to be checked for "view-realm" role (see
org.keycloak.services.resources.admin.AuthenticationManagementResourc
e::getFlows).
I think this is a perfect candidate for RFE, since "view-realm" is
indeed too wide for the flows endpoint. I'd suggest that the
restriction be changed to "view-realm OR manage-identity-providers".
You can create a JIRA issue for that, and at the moment resort to one
of the workarounds:
- fix AuthenticationManagementResource::getFlows yourself and
recompile Keycloak (easier to do, but harder to maintain);
- create a custom REST endpoint for flows with relaxed permissions,
then create a custom GUI theme to use that endpoint instead of the
standard one.
Please note that granting manage-realm + manage-identity-providers
and tweaking the GUI theme to exclude unwanted elements is generally
a bad idea, since a rogue user will still be able to directly invoke
REST endpoints to do some nasty stuff.
I'm not sure if authorization / fine-grained permissions are relevant
here, but let's see what Pedro Igor says on that.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail: info@acutus.pro
On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> Hi ,
> I want to disable client, Realm management, Authentication and
> Roles and want to create a user who will be able to provide only
> Identity provider/broker integration.
> I understand user needs to be in manage-identity-providers and
> manage-realm for doing this activity. But with manage realm user
> also has access to role creation,authenciation and realm setting
> tabs. Any way to disable these, without going for customized themes
> or changing the FTL?
> I am looking for authorization model based solution.
> Regards,Madhu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
4:37 a.m.
Agree with you that disabling in Admin console ui, will not be a
great idea, is there any standard practice /documentation for
selectively restricting rest apis?
Not that I know of unfortunately. Access control to most APIs is role-
based, and the only way to restrict access is to not to grant
particular role to a user.
I was thinking about enabling authorization on security-admin-console
client, but my straightforward attempt failed - simply turning on
authorization results in an infinite loop and tons of 500 Internal
Server Errors. Our authorization guru is Pedro Igor Silva, I hope he
sheds some light on the situation.
As far as i read the documentation, the recommendation seems to be
to
customize rest endpoints are not deploy them at all..
>Not sure if I got it right ("not to deploy them at
all"), could you
>point to the docs please?
<Madhu> Sorry My bad.. it was not document, but
a user thread , refer [keycloak-user] Limiting the admin REST API
|
|
| |
[keycloak-user] Limiting the admin REST API
|
|
|
On Tuesday, 3 July, 2018, 2:19:08 AM IST, Dmitry Telegin <dt(a)acutus.pro> wrote:
Hi Madhu,
On Mon, 2018-07-02 at 11:42 +0000, Madhu wrote:
Agree with you that disabling in Admin console ui, will not be a
great idea, is there any standard practice /documentation for
selectively restricting rest apis?
Not that I know of unfortunately. Access control to most APIs is role-
based, and the only way to restrict access is to not to grant
particular role to a user.
I was thinking about enabling authorization on security-admin-console
client, but my straightforward attempt failed - simply turning on
authorization results in an infinite loop and tons of 500 Internal
Server Errors. Our authorization guru is Pedro Igor Silva, I hope he
sheds some light on the situation.
As far as i read the documentation, the recommendation seems to be
to
customize rest endpoints are not deploy them at all..
Not sure if I got it right ("not to deploy them at all"), could you
point to the docs please?
Dmitry
On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt(a)acutus.pr
o> wrote:
Madhu,
I think that initially this was supposed to work without "manage-
realm" role. If you grant a user "manage-identity-providers" role
only, you'll see a perfect picture in the GUI: just the "Identity
providers" section, and nothing more. However if you try to actually
add a provider, you'll get a 403 Forbidden upon a request to
/auth/admin/realms/$REALM/authentication/flows endpoint.
To render the identity provider creation form, the GUI indeed needs
to retrieve a list of authentication flows for the realm.
Unfortunately, in the REST resource it is hardcoded that the user
needs to be checked for "view-realm" role (see
org.keycloak.services.resources.admin.AuthenticationManagementResourc
e::getFlows).
I think this is a perfect candidate for RFE, since "view-realm" is
indeed too wide for the flows endpoint. I'd suggest that the
restriction be changed to "view-realm OR manage-identity-providers".
You can create a JIRA issue for that, and at the moment resort to one
of the workarounds:
- fix AuthenticationManagementResource::getFlows yourself and
recompile Keycloak (easier to do, but harder to maintain);
- create a custom REST endpoint for flows with relaxed permissions,
then create a custom GUI theme to use that endpoint instead of the
standard one.
Please note that granting manage-realm + manage-identity-providers
and tweaking the GUI theme to exclude unwanted elements is generally
a bad idea, since a rogue user will still be able to directly invoke
REST endpoints to do some nasty stuff.
I'm not sure if authorization / fine-grained permissions are relevant
here, but let's see what Pedro Igor says on that.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail: info@acutus.pro
On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> Hi ,
> I want to disable client, Realm management, Authentication and
> Roles and want to create a user who will be able to provide only
> Identity provider/broker integration.
> I understand user needs to be in manage-identity-providers and
> manage-realm for doing this activity. But with manage realm user
> also has access to role creation,authenciation and realm setting
> tabs. Any way to disable these, without going for customized themes
> or changing the FTL?
> I am looking for authorization model based solution.
> Regards,Madhu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
6:15 a.m.
On Mon, Jul 2, 2018 at 5:49 PM, Dmitry Telegin <dt(a)acutus.pro> wrote:
Hi Madhu,
On Mon, 2018-07-02 at 11:42 +0000, Madhu wrote:
> Agree with you that disabling in Admin console ui, will not be a
> great idea, is there any standard practice /documentation for
> selectively restricting rest apis?
Not that I know of unfortunately. Access control to most APIs is role-
based, and the only way to restrict access is to not to grant
particular role to a user.
I was thinking about enabling authorization on security-admin-console
client, but my straightforward attempt failed - simply turning on
authorization results in an infinite loop and tons of 500 Internal
Server Errors. Our authorization guru is Pedro Igor Silva, I hope he
sheds some light on the situation.
I was able to reproduce the issue. It happens because when obtaining client
config for admin console, the client manager is not properly initialized.
Created https://issues.jboss.org/browse/KEYCLOAK-7763.
Regarding enabling authz on security-admin-console. This won't work because
we also need changes to admin console/apis to enforce permission. I've
replied to another thread about fine-grained permissions in admin console
and rest apis. We are still using roles and we also lack specific
permissions for some parts of admin console/apis. That is something we are
planing to review and improve in the future.
> As far as i read the documentation, the recommendation seems to be to
> customize rest endpoints are not deploy them at all..
Not sure if I got it right ("not to deploy them at all"), could you
point to the docs please?
Dmitry
>
> On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt(a)acutus.pr
> o> wrote:
>
>
> Madhu,
>
> I think that initially this was supposed to work without "manage-
> realm" role. If you grant a user "manage-identity-providers" role
> only, you'll see a perfect picture in the GUI: just the "Identity
> providers" section, and nothing more. However if you try to actually
> add a provider, you'll get a 403 Forbidden upon a request to
> /auth/admin/realms/$REALM/authentication/flows endpoint.
>
> To render the identity provider creation form, the GUI indeed needs
> to retrieve a list of authentication flows for the realm.
> Unfortunately, in the REST resource it is hardcoded that the user
> needs to be checked for "view-realm" role (see
> org.keycloak.services.resources.admin.AuthenticationManagementResourc
> e::getFlows).
>
> I think this is a perfect candidate for RFE, since "view-realm" is
> indeed too wide for the flows endpoint. I'd suggest that the
> restriction be changed to "view-realm OR manage-identity-providers".
> You can create a JIRA issue for that, and at the moment resort to one
> of the workarounds:
> - fix AuthenticationManagementResource::getFlows yourself and
> recompile Keycloak (easier to do, but harder to maintain);
> - create a custom REST endpoint for flows with relaxed permissions,
> then create a custom GUI theme to use that endpoint instead of the
> standard one.
>
> Please note that granting manage-realm + manage-identity-providers
> and tweaking the GUI theme to exclude unwanted elements is generally
> a bad idea, since a rogue user will still be able to directly invoke
> REST endpoints to do some nasty stuff.
>
> I'm not sure if authorization / fine-grained permissions are relevant
> here, but let's see what Pedro Igor says on that.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> + 42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> > Hi ,
> > I want to disable client, Realm management, Authentication and
> > Roles and want to create a user who will be able to provide only
> > Identity provider/broker integration.
> > I understand user needs to be in manage-identity-providers and
> > manage-realm for doing this activity. But with manage realm user
> > also has access to role creation,authenciation and realm setting
> > tabs. Any way to disable these, without going for customized themes
> > or changing the FTL?
> > I am looking for authorization model based solution.
> > Regards,Madhu
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:08 p.m.
Hi Pedro,
Regarding enabling authz on security-admin-console. This won't
work
because we also need changes to admin console/apis to enforce
permission. I've replied to another thread about fine-grained
permissions in admin console and rest apis.
Could you please point to the message? this is of big interest for me,
thx
We are still using roles and we also lack specific permissions for
some parts of admin console/apis. That is something we are planing to
review and improve in the future.
Good to hear that. Seems like this should be a popular feature, since
only for the last couple of weeks the guys have asked for help with
similar problems. See the message from Waldemar [1], he is looking for
a way to selectively allow a user access to roles without granting the
"manage-realm" role. Any ideas? I've yet come up with either creating a
custom REST endpoint, or introducing "{view,manage}-roles" in Keycloak
and waiting for next release...
Cheers,
Dmitry
[1] http://lists.jboss.org/pipermail/keycloak-user/2018-June/014307.htm
l
> > As far as i read the documentation, the recommendation seems to
> be to
> > customize rest endpoints are not deploy them at all..
>
> Not sure if I got it right ("not to deploy them at all"), could you
> point to the docs please?
>
> Dmitry
>
> >
> > On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt@acutu
> s.pr
> > o> wrote:
> >
> >
> > Madhu,
> >
> > I think that initially this was supposed to work without "manage-
> > realm" role. If you grant a user "manage-identity-providers"
role
> > only, you'll see a perfect picture in the GUI: just the "Identity
> > providers" section, and nothing more. However if you try to
> actually
> > add a provider, you'll get a 403 Forbidden upon a request to
> > /auth/admin/realms/$REALM/authentication/flows endpoint.
> >
> > To render the identity provider creation form, the GUI indeed
> needs
> > to retrieve a list of authentication flows for the realm.
> > Unfortunately, in the REST resource it is hardcoded that the user
> > needs to be checked for "view-realm" role (see
> >
> org.keycloak.services.resources.admin.AuthenticationManagementResou
> rc
> > e::getFlows).
> >
> > I think this is a perfect candidate for RFE, since "view-realm"
> is
> > indeed too wide for the flows endpoint. I'd suggest that the
> > restriction be changed to "view-realm OR manage-identity-
> providers".
> > You can create a JIRA issue for that, and at the moment resort to
> one
> > of the workarounds:
> > - fix AuthenticationManagementResource::getFlows yourself and
> > recompile Keycloak (easier to do, but harder to maintain);
> > - create a custom REST endpoint for flows with relaxed
> permissions,
> > then create a custom GUI theme to use that endpoint instead of
> the
> > standard one.
> >
> > Please note that granting manage-realm + manage-identity-
> providers
> > and tweaking the GUI theme to exclude unwanted elements is
> generally
> > a bad idea, since a rogue user will still be able to directly
> invoke
> > REST endpoints to do some nasty stuff.
> >
> > I'm not sure if authorization / fine-grained permissions are
> relevant
> > here, but let's see what Pedro Igor says on that.
> >
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > + 42 (022) 888-30-71
> > E-mail: info@acutus.pro
> >
> > On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> > > Hi ,
> > > I want to disable client, Realm management, Authentication and
> > > Roles and want to create a user who will be able to provide
> only
> > > Identity provider/broker integration.
> > > I understand user needs to be in manage-identity-providers and
> > > manage-realm for doing this activity. But with manage realm
> user
> > > also has access to role creation,authenciation and realm
> setting
> > > tabs. Any way to disable these, without going for customized
> themes
> > > or changing the FTL?
> > > I am looking for authorization model based solution.
> > > Regards,Madhu
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2837
days inactive
2840
days old
6 comments
3 participants
participants (3)
-
Dmitry Telegin -
Madhu -
Pedro Igor Silva