[keycloak-user] Enabling Identity provider alone
Dmitry Telegin
dt at acutus.pro
Mon Jul 2 06:38:18 EDT 2018
Madhu,
I think that initially this was supposed to work without "manage-realm"
role. If you grant a user "manage-identity-providers" role only, you'll
see a perfect picture in the GUI: just the "Identity providers"
section, and nothing more. However if you try to actually add a
provider, you'll get a 403 Forbidden upon a request to
/auth/admin/realms/$REALM/authentication/flows endpoint.
To render the identity provider creation form, the GUI indeed needs to
retrieve a list of authentication flows for the realm. Unfortunately,
in the REST resource it is hardcoded that the user needs to be checked
for "view-realm" role (see
org.keycloak.services.resources.admin.AuthenticationManagementResource:
:getFlows).
I think this is a perfect candidate for RFE, since "view-realm" is
indeed too wide for the flows endpoint. I'd suggest that the
restriction be changed to "view-realm OR manage-identity-providers".
You can create a JIRA issue for that, and at the moment resort to one
of the workarounds:- fix AuthenticationManagementResource::getFlows
yourself and recompile Keycloak (easier to do, but harder to
maintain);- create a custom REST endpoint for flows with relaxed
permissions, then create a custom GUI theme to use that endpoint
instead of the standard one.
Please note that granting manage-realm + manage-identity-providers and
tweaking the GUI theme to exclude unwanted elements is generally a bad
idea, since a rogue user will still be able to directly invoke REST
endpoints to do some nasty stuff.
I'm not sure if authorization / fine-grained permissions are relevant
here, but let's see what Pedro Igor says on that.
Cheers,Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail: info at acutus.pro
On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> Hi ,
> I want to disable client, Realm management, Authentication and Roles
> and want to create a user who will be able to provide only Identity
> provider/broker integration.
> I understand user needs to be in manage-identity-providers and
> manage-realm for doing this activity. But with manage realm user also
> has access to role creation,authenciation and realm setting tabs. Any
> way to disable these, without going for customized themes or changing
> the FTL?
> I am looking for authorization model based solution.
> Regards,Madhu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list