[keycloak-user] Restrict access to a client to a subset of Keycloak users
Thomas Darimont
thomas.darimont at googlemail.com
Thu Feb 23 09:24:47 EST 2017
Hello Shane,
you could try to do that with the Javascript based Authenticator.
Cheers,
Thomas
2017-02-23 14:07 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
> I can think of some workarounds. Like for example, create an
> Authenticator, which will be added to the bottom of the authentication
> flow. Authenticator will throw an exception in case that unpermitted
> user is trying to authenticate to the client corresponding to your
> openshift application. You have the user available (he is already
> authenticated) and you have also the client (can be determined based on
> clientId).
>
> Maybe even easier is to do that in custom RequiredActionProvider and do
> this check in "evaluateTriggers".
>
> This is workaround as it mixes authentication and authorization (among
> other issues). But hopefully it can suit your needs.
>
> Marek
>
> On 23/02/17 07:19, Shane Boulden wrote:
> > Hi everyone,
> >
> > I'm trying to figure out a fairly straight-forward problem set -
> >
> > - I have a number of users in a Keycloak database, federated from an
> > LDAP provider with a READ_ONLY policy (ie; I can't "disable" the
> users)
> > - I want to limit access to a client to only certain Keycloak users
> >
> > I thought this would be possible with a role that is shared by the client
> > and the user. However, it looks like Keycloak lets the application itself
> > determine access via a role: http://lists.jboss.org/
> > pipermail/keycloak-user/2014-November/001205.html
> >
> > But what if I can't update the application's behaviour? Eg; if I want to
> > integrate Keycloak with OpenShift, and OpenShift doesn't consume any
> > information from the OIDC provider?
> >
> > In this particular example, I don't want to limit the users in the
> Keycloak
> > database - I want to sync all users from LDAP, but limit application
> access
> > to only a subset.
> >
> > Any assistance is greatly appreciated.
> >
> > Shane
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list