[keycloak-user] Enabling Identity provider alone

Dmitry Telegin dt at acutus.pro
Wed Jul 4 22:08:42 EDT 2018


Hi Pedro,

> Regarding enabling authz on security-admin-console. This won't work
> because we also need changes to admin console/apis to enforce
> permission. I've replied to another thread about fine-grained
> permissions in admin console and rest apis. 

Could you please point to the message? this is of big interest for me,
thx

> We are still using roles and we also lack specific permissions for
> some parts of admin console/apis. That is something we are planing to
> review and improve in the future.

Good to hear that. Seems like this should be a popular feature, since
only for the last couple of weeks the guys have asked for help with
similar problems. See the message from Waldemar [1], he is looking for
a way to selectively allow a user access to roles without granting the
"manage-realm" role. Any ideas? I've yet come up with either creating a
custom REST endpoint, or introducing "{view,manage}-roles" in Keycloak
and waiting for next release...

Cheers,
Dmitry

[1] http://lists.jboss.org/pipermail/keycloak-user/2018-June/014307.htm
l

>  
> > > As far as i read the documentation, the recommendation seems to
> > be to
> > > customize rest endpoints are not deploy them at all.. 
> > 
> > Not sure if I got it right ("not to deploy them at all"), could you
> > point to the docs please?
> > 
> > Dmitry
> > 
> > > 
> > > On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt at acutu
> > s.pr
> > > o> wrote:
> > > 
> > > 
> > > Madhu,
> > > 
> > > I think that initially this was supposed to work without "manage-
> > > realm" role. If you grant a user "manage-identity-providers" role
> > > only, you'll see a perfect picture in the GUI: just the "Identity
> > > providers" section, and nothing more. However if you try to
> > actually
> > > add a provider, you'll get a 403 Forbidden upon a request to
> > > /auth/admin/realms/$REALM/authentication/flows endpoint.
> > > 
> > > To render the identity provider creation form, the GUI indeed
> > needs
> > > to retrieve a list of authentication flows for the realm.
> > > Unfortunately, in the REST resource it is hardcoded that the user
> > > needs to be checked for "view-realm" role (see
> > >
> > org.keycloak.services.resources.admin.AuthenticationManagementResou
> > rc
> > > e::getFlows).
> > > 
> > > I think this is a perfect candidate for RFE, since "view-realm"
> > is
> > > indeed too wide for the flows endpoint. I'd suggest that the
> > > restriction be changed to "view-realm OR manage-identity-
> > providers".
> > > You can create a JIRA issue for that, and at the moment resort to
> > one
> > > of the workarounds:
> > > - fix AuthenticationManagementResource::getFlows yourself and
> > > recompile Keycloak (easier to do, but harder to maintain);
> > > - create a custom REST endpoint for flows with relaxed
> > permissions,
> > > then create a custom GUI theme to use that endpoint instead of
> > the
> > > standard one.
> > > 
> > > Please note that granting manage-realm + manage-identity-
> > providers
> > > and tweaking the GUI theme to exclude unwanted elements is
> > generally
> > > a bad idea, since a rogue user will still be able to directly
> > invoke
> > > REST endpoints to do some nasty stuff.
> > > 
> > > I'm not sure if authorization / fine-grained permissions are
> > relevant
> > > here, but let's see what Pedro Igor says on that.
> > > 
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > > 
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > + 42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > > 
> > > On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> > > > Hi ,
> > > > I want to disable client, Realm management, Authentication and
> > > > Roles and want to create a user who will be able to provide
> > only
> > > > Identity provider/broker integration.
> > > > I understand user needs to be in  manage-identity-providers and
> > > > manage-realm for doing this activity. But with manage realm
> > user
> > > > also has access to role creation,authenciation and realm
> > setting
> > > > tabs. Any way to disable these, without going for customized
> > themes
> > > > or changing the FTL?
> > > > I am looking for authorization model based solution.
> > > > Regards,Madhu
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> 


More information about the keycloak-user mailing list