[keycloak-dev] [keycloak-gatekeeper] Add resource filter to allow specific users

Stian Thorgersen sthorger at redhat.com
Wed Oct 30 07:57:09 EDT 2019


Permitting individual users is not a good practice for several reasons and
is not something we should add to the Gatekeeper.

By allowing a specific user there is no way to limit access in different
tokens, which means that any token issued to the user will give access.
This is very contradictory to the whole OAuth/OIDC paradigm where you have
scoped tokens.

Further, it's hard to manage access for individual users in such a way.
Imagine the user should not have the access anymore. Now you have to update
config for Gatekeeper instead of removing the role from the user. It is
also not much overhead to add a role or a group for a user.

On Wed, 30 Oct 2019 at 11:00, Niels Denissen <nielsdenissen at gmail.com>
wrote:

> Hi,
>
> In a project I’m working on we need to restrict access to a certain
> resource (URL) to a single person only. We’re using keycloak-gatekeeper in
> front of this resource to restrict access.
> As far as I understand, in order to achieve this in the current
> architecture, this would involve creating a new group for each separate
> user and in keycloak-gatekeeper add this group to the list of allowed
> groups for this resource.
> As this involves creating a group for each user (lots of overhead), I
> envisioned a new filter in the keycloak-gatekeeper project for resources
> based on `AllowedUsers` (next to the existing ones for e.g. roles and
> groups). This would allow us to specify for any given resource, the user
> that is allowed access to it specifically. I’ve created some initial code
> for this in a fork (
> https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714803c0ddeffb562fafade1e761d7
> <
> https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714803c0ddeffb562fafade1e761d7>)
> and am looking for some feedback of the community to see if I missed any
> other way to solve this problem and whether such a feature seems
> interesting to others as well.
>
> Any help is appreciated!
>
> Thanks,
> Niels
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list