I am using keycloak as an authentication service for my web application.
I have 2 applications installed as follows.
https://example.com. => app1
https://example.com/new. => app2
I want to restrict users to the application like user1 should only be allowed for app1 and user2 should only be allowed for app2.
I have created 2 resources (Authorization -> Resources) and created a user-based policy for each Resource but still, all users can log in to all applications.
I even tried 2 user policy for one Resource
One will explicitly deny a user to the Resource
2, One will explicitly allow a user to the same Resource
But still, nothing is worked. Can someone please help me?
Related
I am using Keycloak 18.0 for Angular 13 + Spring Boot App. The solution utilizes Microservices architecture pattern for this app so basically Keycloak already guards access to other solution resources. I am using only Keycloak REST API.
The problem is Keycloak security itself:
I want to restrict Keycloak client token only to user creation.
Any user has to be able:
1. Fully access and manage ONLY his own profile.
2. Has restricted access to profiles of other users.
3. Any other operation of viewing other users, adjusting
roles etc. should be enabled only if authenticated user
has some kind of permission to do it.
For example:
Anybody can create user (signup).
After user is verified, some role is assigned to that user.
User logs in and acquire its token that has permissions to fully manage only his own resources including user itself and has restricted access to other users and user resources.
I am not sure I want to integrate Keycloak as resource security manager (i am considering that option but for now, only Spring Boot Adapter was implemented to control corresponding resources security) but at least i would like to prevent e.g. reading full list of users using Keycloak client token.
I have basic understanding of Keycloak Resource/Policy/Permission Feature but I am not sure i understand how can i apply it to Keycloak users itself.
Thanks a lot in advance for your help.
I recently used keycloak as an authorisation server for my application that manipulate some kind of workspaces, so i created a resource in keycloak for each workspace and assigned users to it using keycloak console administration.
i wonder if there is a some kind of endpoint in keycloak API or another way to get the number of users assigned to a resource.
I'm new to Keycloak and trying to find out if authorization services (Resource Server) can fit my requirements.
I have the following scenario: A client app is trying to access my API endpoints which are behind the API gateway. I want to authenticate (using id and secret) the app and if it's App A allow it access to the endpoint /credits, if it's App B allow it access to the endpoint /debits.
I assume that API gateway should verify if a call should be rejected or not.
Could you please tell me what should my workflow look like and what Keycloak functionality should I use?
I'd add roles CREDITS_CLIENT and DEBITS_CLIENT to the API_SERVICE realm in keycloak.
Then, I'd create app-a-service-account and app-b-service-account in that realm, the former with CREDITS_CLIENT role and the later with DEBITS_CLIENT role.
In the gateway or API controller, endpoint /credits requires role CREDITS_CLIENT and endpoint /debits requires role DEBITS_CLIENT.
On each call, check if the details in the jwt include the role that authorizes the account/user to access the endpoint.
I have problems setting up Keycloak for a project I do.
Keycloak is running on http://localhost:8180.
Thorntail server is running on http://localhost:8080/users which serves data for an
Angular frontend on http://localhost:4200/*. What I want to do is that a User can only see http://localhost:4200/sign-in without logging in. Once logged in they can access for example http://localhost:4200/list-user.
I was using this guide to set up Keycloak, but I'm not sure what I my Client settings should be. This is what I thought:
Root URL: http://localhost:4200/sign-in
*Valid Redirect URIs: http://localhost:4200/list-user
Base URL: http://localhost:4200/sign-in
Admin URL: http://localhost:8080
Somebody please explain the purpose of these settings as I struggle to understand.
Root url is just a value that will be used for relative paths resolving.
Root: http://localhost:4200/sign-in
Valid Redirects: /* (After login user could be redirected to any URI that matches pattern http://localhost:4200/sign-in/*)
Base URL: / (Is not mandatory. Used when keycloak need to calculate application url by client_id only)
Admin URL: / (Used when Keycloak need to notify applications about revocation or when user logs out. For example when user logs out in application A if he has session in application B, Keycloak will send backchannel request to Admin URL of application B, so Application B will also flush user session in it)
Check out docs and info badges in Admin Console
We are considering to use the keycloak as our SSO framework.
According to the keycloak documentation for multi-tenancy support the application server should hold all the keycloak.json authentication files, the way to acquire those files is from the keycloak admin, is there a way to get them dynamically via API ? or at least to get the realm public key ? we would like to avoid to manually add this file for each realm to the application server (to avoid downtime, etc).
Another multi-tenancy related question - according to the documentation the same clients should be created for each realm, so if I have 100 realms and 10 clients, I should define the same 10 clients 100 times ? is there an alternative ?
One of our flows is backend micro-service that should be authenticated against an application (defined as keycloak client), we would like to avoid keeping user/psw on the server for security reasons, is there a way that an admin can acquire a token and place it manually on the server file system for that micro service ? is there a option to generate this token in the keycloak UI ?
Thanks in advance.
All Keycloak functionality is available via the admin REST API, so you can automate this. The realm's public key is available via http://localhost:8080/auth/realms/{realm}/
A realm for each tenant will give a tenant-specific login page. Therefore this is the way to go - 10 clients registered 100 times. See more in the chapter Client Registration of the Keycloak documentation. If you don't need specific themes, you can opt to put everything in one realm, but you will lose a lot of flexibility on that path.
If your backend micro service should appear like one (technical) user, you can issue an offline token that doesn't expire. This is the online documentation for offline tokens. Currently there is no admin functionality to retrieve an offline token for a user by an admin. You'll need to build this yourself. An admin can later revoke offline tokens using the given admin API.