[keycloak-user] Restrict access from web app client
Pablo Fernandez
pablo.fernandez at cscs.ch
Wed Aug 16 08:41:15 EDT 2017
Dear Keycloakers,
I am (almost) new to Keycloak and having trouble, and I thought I should
ask you after exhausting other options, so here I am.
What I would like to find is a way to confine certain web apps (with a
registered client in Keycloak) from accessing any other client that is
not supposed to. Specifically, I have an oidc client named 'keystone'
that handles all OpenStack authentication and another oidc client
'simplewebapp' that is a webapp that I want to give access to 'keystone'
while NOT giving access to any of the other clients (e.g. account,
admin-cli, broker, etc.)
Is there a way to do this?
I thought about Scopes, but I see they are basically linked to Roles
that I think have nothing to do with what I am doing (I tried, though
creating new roles but it seems to me they don't prevent anything from
happening). If I have to use Scopes, then how? Is there a Role that I
can use to deny - or exclusively grant - access to another client? I
also tried changing the Default Policy in 'keystone' Authorization tab
to something like this (the opposite of what I wanted to do, to make it
fail and see if I can use this mechanism), without success:
---
// by default, grants any permission associated with this policy
//$evaluation.grant();
var context = $evaluation.getContext();
var contextAttributes = context.getAttributes();
if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) {
$evaluation.deny();
}
$evaluation.grant();
---
I googled and browsed and tried many different setting combinations
without success, so I hope someone here could give me a hint.
Thanks!
Pablo Fernandez
More information about the keycloak-user
mailing list