[keycloak-user] Enabling Identity provider alone
Madhu
kkcmadhu at yahoo.com
Tue Jul 3 05:37:19 EDT 2018
> Agree with you that disabling in Admin console ui, will not be a
> great idea, is there any standard practice /documentation for
> selectively restricting rest apis?
Not that I know of unfortunately. Access control to most APIs is role-
based, and the only way to restrict access is to not to grant
particular role to a user.
I was thinking about enabling authorization on security-admin-console
client, but my straightforward attempt failed - simply turning on
authorization results in an infinite loop and tons of 500 Internal
Server Errors. Our authorization guru is Pedro Igor Silva, I hope he
sheds some light on the situation.
> As far as i read the documentation, the recommendation seems to be to
> customize rest endpoints are not deploy them at all..
>>Not sure if I got it right ("not to deploy them at all"), could you
>>point to the docs please?
<Madhu> Sorry My bad.. it was not document, but a user thread , refer [keycloak-user] Limiting the admin REST API
|
|
| |
[keycloak-user] Limiting the admin REST API
|
|
|
On Tuesday, 3 July, 2018, 2:19:08 AM IST, Dmitry Telegin <dt at acutus.pro> wrote:
Hi Madhu,
On Mon, 2018-07-02 at 11:42 +0000, Madhu wrote:
> Agree with you that disabling in Admin console ui, will not be a
> great idea, is there any standard practice /documentation for
> selectively restricting rest apis?
Not that I know of unfortunately. Access control to most APIs is role-
based, and the only way to restrict access is to not to grant
particular role to a user.
I was thinking about enabling authorization on security-admin-console
client, but my straightforward attempt failed - simply turning on
authorization results in an infinite loop and tons of 500 Internal
Server Errors. Our authorization guru is Pedro Igor Silva, I hope he
sheds some light on the situation.
> As far as i read the documentation, the recommendation seems to be to
> customize rest endpoints are not deploy them at all..
Not sure if I got it right ("not to deploy them at all"), could you
point to the docs please?
Dmitry
>
> On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt at acutus.pr
> o> wrote:
>
>
> Madhu,
>
> I think that initially this was supposed to work without "manage-
> realm" role. If you grant a user "manage-identity-providers" role
> only, you'll see a perfect picture in the GUI: just the "Identity
> providers" section, and nothing more. However if you try to actually
> add a provider, you'll get a 403 Forbidden upon a request to
> /auth/admin/realms/$REALM/authentication/flows endpoint.
>
> To render the identity provider creation form, the GUI indeed needs
> to retrieve a list of authentication flows for the realm.
> Unfortunately, in the REST resource it is hardcoded that the user
> needs to be checked for "view-realm" role (see
> org.keycloak.services.resources.admin.AuthenticationManagementResourc
> e::getFlows).
>
> I think this is a perfect candidate for RFE, since "view-realm" is
> indeed too wide for the flows endpoint. I'd suggest that the
> restriction be changed to "view-realm OR manage-identity-providers".
> You can create a JIRA issue for that, and at the moment resort to one
> of the workarounds:
> - fix AuthenticationManagementResource::getFlows yourself and
> recompile Keycloak (easier to do, but harder to maintain);
> - create a custom REST endpoint for flows with relaxed permissions,
> then create a custom GUI theme to use that endpoint instead of the
> standard one.
>
> Please note that granting manage-realm + manage-identity-providers
> and tweaking the GUI theme to exclude unwanted elements is generally
> a bad idea, since a rogue user will still be able to directly invoke
> REST endpoints to do some nasty stuff.
>
> I'm not sure if authorization / fine-grained permissions are relevant
> here, but let's see what Pedro Igor says on that.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> + 42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> > Hi ,
> > I want to disable client, Realm management, Authentication and
> > Roles and want to create a user who will be able to provide only
> > Identity provider/broker integration.
> > I understand user needs to be in manage-identity-providers and
> > manage-realm for doing this activity. But with manage realm user
> > also has access to role creation,authenciation and realm setting
> > tabs. Any way to disable these, without going for customized themes
> > or changing the FTL?
> > I am looking for authorization model based solution.
> > Regards,Madhu
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list