[keycloak-user] Restrict access to a client to a subset of Keycloak users
Marek Posolda
mposolda at redhat.com
Thu Feb 23 08:07:04 EST 2017
I can think of some workarounds. Like for example, create an
Authenticator, which will be added to the bottom of the authentication
flow. Authenticator will throw an exception in case that unpermitted
user is trying to authenticate to the client corresponding to your
openshift application. You have the user available (he is already
authenticated) and you have also the client (can be determined based on
clientId).
Maybe even easier is to do that in custom RequiredActionProvider and do
this check in "evaluateTriggers".
This is workaround as it mixes authentication and authorization (among
other issues). But hopefully it can suit your needs.
Marek
On 23/02/17 07:19, Shane Boulden wrote:
> Hi everyone,
>
> I'm trying to figure out a fairly straight-forward problem set -
>
> - I have a number of users in a Keycloak database, federated from an
> LDAP provider with a READ_ONLY policy (ie; I can't "disable" the users)
> - I want to limit access to a client to only certain Keycloak users
>
> I thought this would be possible with a role that is shared by the client
> and the user. However, it looks like Keycloak lets the application itself
> determine access via a role: http://lists.jboss.org/
> pipermail/keycloak-user/2014-November/001205.html
>
> But what if I can't update the application's behaviour? Eg; if I want to
> integrate Keycloak with OpenShift, and OpenShift doesn't consume any
> information from the OIDC provider?
>
> In this particular example, I don't want to limit the users in the Keycloak
> database - I want to sync all users from LDAP, but limit application access
> to only a subset.
>
> Any assistance is greatly appreciated.
>
> Shane
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list