[keycloak-dev] [keycloak-gatekeeper] Add resource filter to allow specific users

Wed Oct 30 10:13:29 EDT 2019

Just bear in mind what I said about the fact that you are basically
allowing any tokens issues to any clients access to your restricted
resource.

On Wed, 30 Oct 2019 at 14:11, Niels Denissen <nielsdenissen at gmail.com>
wrote:

> Hi Stian,
>
> Thanks for your quick reply. In further researching the issue I’ve just
> found that there is already functionality in Gatekeeper that does exactly
> what I was trying to implement.
> The option `—match-claims` allows for specifying only a specific user that
> is allowed access in the following way (for my use-case):
> `—match-claims=‘preferred_username=someusername’`.
>
> Hope this helps anyone looking for this in the future.
>
> Best regards,
> Niels
>
> On 30 Oct 2019, at 12:57, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Permitting individual users is not a good practice for several reasons and
> is not something we should add to the Gatekeeper.
>
> By allowing a specific user there is no way to limit access in different
> tokens, which means that any token issued to the user will give access.
> This is very contradictory to the whole OAuth/OIDC paradigm where you have
> scoped tokens.
>
> Further, it's hard to manage access for individual users in such a way.
> Imagine the user should not have the access anymore. Now you have to update
> config for Gatekeeper instead of removing the role from the user. It is
> also not much overhead to add a role or a group for a user.
>
> On Wed, 30 Oct 2019 at 11:00, Niels Denissen <nielsdenissen at gmail.com>
> wrote:
>
>> Hi,
>>
>> In a project I’m working on we need to restrict access to a certain
>> resource (URL) to a single person only. We’re using keycloak-gatekeeper in
>> front of this resource to restrict access.
>> As far as I understand, in order to achieve this in the current
>> architecture, this would involve creating a new group for each separate
>> user and in keycloak-gatekeeper add this group to the list of allowed
>> groups for this resource.
>> As this involves creating a group for each user (lots of overhead), I
>> envisioned a new filter in the keycloak-gatekeeper project for resources
>> based on `AllowedUsers` (next to the existing ones for e.g. roles and
>> groups). This would allow us to specify for any given resource, the user
>> that is allowed access to it specifically. I’ve created some initial code
>> for this in a fork (
>> https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714803c0ddeffb562fafade1e761d7
>> <
>> https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714803c0ddeffb562fafade1e761d7>)
>> and am looking for some feedback of the community to see if I missed any
>> other way to solve this problem and whether such a feature seems
>> interesting to others as well.
>>
>> Any help is appreciated!
>>
>> Thanks,
>> Niels
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>