[keycloak-user] Enabling Identity provider alone

Pedro Igor Silva psilva at redhat.com
Tue Jul 3 07:15:35 EDT 2018 

On Mon, Jul 2, 2018 at 5:49 PM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Madhu,
>
> On Mon, 2018-07-02 at 11:42 +0000, Madhu wrote:
>
> > Agree with you that disabling in Admin console ui, will not be  a
> > great idea,  is there any standard practice /documentation for
> > selectively restricting rest apis?
>
> Not that I know of unfortunately. Access control to most APIs is role-
> based, and the only way to restrict access is to not to grant
> particular role to a user.
>
> I was thinking about enabling authorization on security-admin-console
> client, but my straightforward attempt failed - simply turning on
> authorization results in an infinite loop and tons of 500 Internal
> Server Errors. Our authorization guru is Pedro Igor Silva, I hope he
> sheds some light on the situation.
>

I was able to reproduce the issue. It happens because when obtaining client
config for admin console, the client manager is not properly initialized.
Created https://issues.jboss.org/browse/KEYCLOAK-7763.

Regarding enabling authz on security-admin-console. This won't work because
we also need changes to admin console/apis to enforce permission. I've
replied to another thread about fine-grained permissions in admin console
and rest apis. We are still using roles and we also lack specific
permissions for some parts of admin console/apis. That is something we are
planing to review and improve in the future.


>
> > As far as i read the documentation, the recommendation seems to be to
> > customize rest endpoints are not deploy them at all..
>
> Not sure if I got it right ("not to deploy them at all"), could you
> point to the docs please?
>
> Dmitry
>
> >
> > On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt at acutus.pr
> > o> wrote:
> >
> >
> > Madhu,
> >
> > I think that initially this was supposed to work without "manage-
> > realm" role. If you grant a user "manage-identity-providers" role
> > only, you'll see a perfect picture in the GUI: just the "Identity
> > providers" section, and nothing more. However if you try to actually
> > add a provider, you'll get a 403 Forbidden upon a request to
> > /auth/admin/realms/$REALM/authentication/flows endpoint.
> >
> > To render the identity provider creation form, the GUI indeed needs
> > to retrieve a list of authentication flows for the realm.
> > Unfortunately, in the REST resource it is hardcoded that the user
> > needs to be checked for "view-realm" role (see
> > org.keycloak.services.resources.admin.AuthenticationManagementResourc
> > e::getFlows).
> >
> > I think this is a perfect candidate for RFE, since "view-realm" is
> > indeed too wide for the flows endpoint. I'd suggest that the
> > restriction be changed to "view-realm OR manage-identity-providers".
> > You can create a JIRA issue for that, and at the moment resort to one
> > of the workarounds:
> > - fix AuthenticationManagementResource::getFlows yourself and
> > recompile Keycloak (easier to do, but harder to maintain);
> > - create a custom REST endpoint for flows with relaxed permissions,
> > then create a custom GUI theme to use that endpoint instead of the
> > standard one.
> >
> > Please note that granting manage-realm + manage-identity-providers
> > and tweaking the GUI theme to exclude unwanted elements is generally
> > a bad idea, since a rogue user will still be able to directly invoke
> > REST endpoints to do some nasty stuff.
> >
> > I'm not sure if authorization / fine-grained permissions are relevant
> > here, but let's see what Pedro Igor says on that.
> >
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > + 42 (022) 888-30-71
> > E-mail: info at acutus.pro
> >
> > On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> > > Hi ,
> > > I want to disable client, Realm management, Authentication and
> > > Roles and want to create a user who will be able to provide only
> > > Identity provider/broker integration.
> > > I understand user needs to be in  manage-identity-providers and
> > > manage-realm for doing this activity. But with manage realm user
> > > also has access to role creation,authenciation and realm setting
> > > tabs. Any way to disable these, without going for customized themes
> > > or changing the FTL?
> > > I am looking for authorization model based solution.
> > > Regards,Madhu
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list