How can I write and apply policy to have only single role at a time to user in keycloak and User can only assign the roles to other users based on the policies? I have seen that in the latest version of keycloak, they removed the support of map-role fine-grained policies. Could you please let me know how can I achieve this?
Create role based policies by selecting only one role. Associate that policy with a resource when creating permissions.
For more information refer to keycloak documentation
Related
I entered the following data, but after applying these settings, the input is not carried out, several questions arise. during authorization, the user returns to the page with minio and so on indefinitely
MINIO_IDENTITY_OPENID_CONFIG_URL=https://test.local.ru/.well-known/openid-configuration
MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
MINIO_IDENTITY_OPENID_CLIENT_ID="292085223830"
MINIO_IDENTITY_OPENID_CLIENT_SECRET="12344556"
MINIO_IDENTITY_OPENID_SCOPES=openid
MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC==https://minio.local.ru/*
how do I even understand why it brings me back to the page? are
there any logs, I don't understand how to debug
do I still need to have policies and users that are in sso? if you start, then you need to specify the access key. It is unclear why authorization is needed then. if you still get the keys to enter.
is it possible to enable both OpenID and standard authorization at the same time?
I finally figured out this problem
you need
to go to the rules section in your keycloak sso client to create a role with a name equal to the policy from the minio:
for example role name
consoleAdmin or readonly
in addition to the name, you do not need to fill in any attributes in the role, do not put it as a composite
after adding the role, we need to perform two steps
create a claim name (the name can be any), for example, minio-roles
mapper type - user client role
claim json - string
client id - the name of your sso client
token claim name - minio-roles
then it remains to assign this role to users in the users section
user - role mapping - client roles ( select client name SSO) - select the right role for this user
I am currently trying to set up keycloak for a production scenario in which I have different contexts, each with users and admins. The admin should only be able to impersonate users from his context.
Giving an admin permission in the form of permissions to impersonate all users is not a problem. but how can I solve the above task? Can one of keycloak built in concepts (groups, roles, realms, scopes etc.) help me?
You have to enable --features=admin-fine-grained-authz and then.
Put your users into a group.
Create another user and grant this user "query-groups" and
"impersonation" roles (from the "realm-management" or "master-realm"
client, depending on the realm).
Go to your group, enable permissions, open "view" permission, and add a
user policy to allow the user to view a group, then repeat for "view-members" permission.
FInd more details here
and here
I have two realms, a public webapp and an extranet where only employees can access.
I have tried setting group policies.
When I try to connect with an non-employee user, keycloak still returns the access token.
What did I miss?
EDIT.
I made a mistake, I only have 2 clients.
You have to limit the access granted to your access token to achieve this. There are three ways to do it (that I know of)
Audience: Allows listing the resource providers that should accept an access token.
Roles: Through controlling what roles a client has access to, it is
possible to control what roles an application can access on behalf
of the user.
Scope: In Keycloak, scopes are created through client scopes, and an
application can only have access to a specific list of scopes.
You can look at this example which explains the flow on how to achieve this using role based method. You can refer this as well.
Hi I'm pretty new with Keycloak and I don't understand some basic things about authorization. I have a REST API that exposes some resources and I want the users to have different roles depending on that resources. For example: I have users, cars and two roles (roleA, roleB). I want to assign roleA to userA for carA. Can I do this in Keycloak? How?
Thanks!
Yes, That can be done. This can be easily done via the admin console of KEYCLOAK.
Create a realm
Create a client in the realm for your application
Create roles (either realm roles or client roles)
Create resources
Create role based policies by selecting the relevant role
Create permissions by associating the created resources and the created policies
The question is a bit vague, but yes, you can do this in Keycloak.
Out of the box, Keycloak supports users and roles. It provides apis and UIs to manage these. If your app is configured to use Keycloak as a source of identity, you can access Keycloak user and role information in your app.
I'm not totally clear on how your "car" concept relates to users and roles, or where you want to manage it. But you have a couple of options:
Turn your app into an OAuth resource server and have Keycloak provide identity information via tokens. Do your cars business logic in your app. You'll want to read up on how OAuth works if you're not familiar with it.
It is possible to extend Keycloak to add custom domain objects, such as Car. More on how to do that here.
Making first steps with Dreamfactory and followed the tutorial I am not finding, how could I apply role to the user, when I want user to access some service (and not app).
Here
http://wiki.dreamfactory.com/DreamFactory/Tutorials/Accessing_SQL_tables
is described, how to create such role, but on User-tab there is no place to apply roles for services, there is only list of apps.
How could I achieve it?
I'll do my best to explain
Access to services is always controlled by Roles. You can have as many or as few Roles as you like.
Apps (API Keys) can have a default Role, but it is not required.
If the app has a default Role, then no JWT is needed to access. The call is made with API Key only, and the default Role is used to allow or deny access to services.
If the app does NOT have a default Role, then a user session (JWT) needs to be included in the call, in which case the User and App are correlated to a Role, and that Role is used to allow or deny access to services. A User may have a different Role for each App.
Assigning the user to app to role relationship is done via the User management tab.
So with that in mind, you need to create a role that defines access to your desired services. Then you need to assign that role to the user for a particular app (api key.) Then when you make your api calls you will make them with the user's session and the api key included, and the role will allow or deny access to services as you defined it.