[keycloak-user] Restrict access from web app client

Abhinav Dwivedi Abhinav.Dwivedi at aeris.net
Thu Aug 17 02:44:17 EDT 2017 

Team

I am having issue in keycloak ha with mysql . So I have configure 2 keycloak docker instance and ne mysql instance.

And created admin user from adduser script in keyclaok on both the instance . So when I create Realm on once instance its not reflect on another until I restart the another one.

But when I delete the Realm its deleted on both on real time . 

Could any one help me on this its lil urgent.

Regards
Abhinav D

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Pablo Fernandez
Sent: Thursday, August 17, 2017 12:06 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Restrict access from web app client

Dear Simon,

Thanks for your reply.

I am not quite sure your proposal would work in our case (or maybe I don't understand it): do you mean that the client will ask for a specific audience to be put inside the token, and that the other service providers would have to check that the claim is targeted against the right audience? That creates a big overhead if you have many SPs, which we do. And anyway, how can you limit a certain client to be issued token of a certain audience within Keycloak? And furthermore, how can I limit the access to the /accounts API on Keycloak for a token given to certain clients?

It would be great to have a mechanism inside Keycloak to limit the scopes of the various clients directly, without extra work on the clients or the SPs. Am I assuming something that is wrong? What is the Authorization tab (and/or the Scopes one) for?

Thanks a lot again,
BR/Pablo


On 16/08/17 15:20, Simon Payne wrote:
> Pablo,
>
> i'm not sure whether this will be your solution directly, but i found 
> out recently that the 'aud' claim in the token is to represent the audience.
> Now, when i used the spring-security-oauth client library i found that 
> it validated the resourceId against this aud claim.
>
> i thought it an unnecessary constraint at the time, but maybe it could 
> be used to restrict access by tokens, which although may have the 
> correct scope, have been issued to the incorrect or otherwise unknown client?
>
> Simon.
>
> On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez 
> <pablo.fernandez at cscs.ch>
> wrote:
>
>> Dear Keycloakers,
>>
>> I am (almost) new to Keycloak and having trouble, and I thought I 
>> should ask you after exhausting other options, so here I am.
>>
>> What I would like to find is a way to confine certain web apps (with 
>> a registered client in Keycloak) from accessing any other client that 
>> is not supposed to. Specifically, I have an oidc client named 'keystone'
>> that handles all OpenStack authentication and another oidc client 
>> 'simplewebapp' that is a webapp that I want to give access to 'keystone'
>> while NOT giving access to any of the other clients (e.g. account, 
>> admin-cli, broker, etc.)
>>
>> Is there a way to do this?
>>
>> I thought about Scopes, but I see they are basically linked to Roles 
>> that I think have nothing to do with what I am doing (I tried, though 
>> creating new roles but it seems to me they don't prevent anything 
>> from happening). If I have to use Scopes, then how? Is there a Role 
>> that I can use to deny - or exclusively grant - access to another 
>> client? I also tried changing the Default Policy in 'keystone' 
>> Authorization tab to something like this (the opposite of what I 
>> wanted to do, to make it fail and see if I can use this mechanism), without success:
>>
>> ---
>> // by default, grants any permission associated with this policy 
>> //$evaluation.grant(); var context = $evaluation.getContext(); var 
>> contextAttributes = context.getAttributes(); if 
>> (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) {
>>     $evaluation.deny();
>> }
>> $evaluation.grant();
>> ---
>>
>> I googled and browsed and tried many different setting combinations 
>> without success, so I hope someone here could give me a hint.
>>
>> Thanks!
>> Pablo Fernandez
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list