Hi,
I'm struggling with understanding of how authorization and permissions work in
Keycloak.
Very simply put: in a single realm I have a number of Clients (also called Applications in
the
Keycloak's user-facing account console). All Clients use OICD. I also have a number of
Users.
Clients are "dumb", i.e. they only consume the identity from Keycloak and have
no authorization
mechanisms available. I want to have control over which subset of users can
"use" specific Clients.
I want to authorize Users to use specific Clients (or authorize Clients to authenticate
only
specific users) and I want all of this to be performed by Keycloak alone.
Example:
current state: two users ("uA" and "uB"), one Client ("cX").
Both users can see cX in their
respective application lists on their Keycloak account consoles (and the column
"Granted
permissions" states "Full access") and both can authenticate (i.e. login)
to the Client. Client
happily accepts both logins as it has no own authorization mechanism.
desired state: only user uA can login to cX, user uB cannot login to cX and does not see
cX in his
application list, or at least does not have "Full access" in "Granted
permissions". If user uB
tries to login to cX, the login fails somehow (graceful refusal would be nice but I'd
be happy with
anything at the moment).
The best would be if I could control this through user groups, i.e. only users in group
"gX" can
login to Client "cX".
I've been playing with roles, scopes, permissions, custom authentication scripts and I
even tried
to superficially reverse engineer the difference between an admin user and a regular user,
which is
the only case where I can see a difference in the Application list (i.e a regular user
does not see
and cannot login to the "Security Admin Console" application) but have failed to
achieve the
desired state or even approach it.
I know I'm probably thinking about this all wrong so I'd be happy even for a
slight push into the
right direction.
thanks,
-jakub.
--
Jakub Fišer
Linux | DevOps | Security
Show replies by date