[keycloak-dev] [keycloak-gatekeeper] Add resource filter to allow specific users

Niels Denissen nielsdenissen at gmail.com
Wed Oct 30 11:34:26 EDT 2019


Yes I am aware of it, in our case this is fine as we use this gatekeeper in front of a micro service destined for only a single user (and irrespective of roles/groups).
Thanks for your help!

> On 30 Oct 2019, at 15:13, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> Just bear in mind what I said about the fact that you are basically allowing any tokens issues to any clients access to your restricted resource.
> 
> On Wed, 30 Oct 2019 at 14:11, Niels Denissen <nielsdenissen at gmail.com <mailto:nielsdenissen at gmail.com>> wrote:
> Hi Stian,
> 
> Thanks for your quick reply. In further researching the issue I’ve just found that there is already functionality in Gatekeeper that does exactly what I was trying to implement.
> The option `—match-claims` allows for specifying only a specific user that is allowed access in the following way (for my use-case): `—match-claims=‘preferred_username=someusername’`.
> 
> Hope this helps anyone looking for this in the future.
> 
> Best regards,
> Niels
> 
>> On 30 Oct 2019, at 12:57, Stian Thorgersen <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>> 
>> Permitting individual users is not a good practice for several reasons and is not something we should add to the Gatekeeper.
>> 
>> By allowing a specific user there is no way to limit access in different tokens, which means that any token issued to the user will give access. This is very contradictory to the whole OAuth/OIDC paradigm where you have scoped tokens.
>> 
>> Further, it's hard to manage access for individual users in such a way. Imagine the user should not have the access anymore. Now you have to update config for Gatekeeper instead of removing the role from the user. It is also not much overhead to add a role or a group for a user.
>> 
>> On Wed, 30 Oct 2019 at 11:00, Niels Denissen <nielsdenissen at gmail.com <mailto:nielsdenissen at gmail.com>> wrote:
>> Hi,
>> 
>> In a project I’m working on we need to restrict access to a certain resource (URL) to a single person only. We’re using keycloak-gatekeeper in front of this resource to restrict access. 
>> As far as I understand, in order to achieve this in the current architecture, this would involve creating a new group for each separate user and in keycloak-gatekeeper add this group to the list of allowed groups for this resource.
>> As this involves creating a group for each user (lots of overhead), I envisioned a new filter in the keycloak-gatekeeper project for resources based on `AllowedUsers` (next to the existing ones for e.g. roles and groups). This would allow us to specify for any given resource, the user that is allowed access to it specifically. I’ve created some initial code for this in a fork (https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714803c0ddeffb562fafade1e761d7 <https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714803c0ddeffb562fafade1e761d7> <https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714803c0ddeffb562fafade1e761d7 <https://github.com/nielsdenissen/keycloak-gatekeeper/commit/5ed6ddf2e5714803c0ddeffb562fafade1e761d7>>) and am looking for some feedback of the community to see if I missed any other way to solve this problem and whether such a feature seems interesting to others as well.
>> 
>> Any help is appreciated!
>> 
>> Thanks,
>> Niels
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>



More information about the keycloak-dev mailing list