Comments (7)
I think this extension already supports exactly what you want to achieve. I think there is a misunderstanding regarding the role name that you can configure globally. Can you check if the information in #118 helps.
If not, please let me know and I try to explain in more detail.
from keycloak-restrict-client-auth.
Hello @danifr,
thanks for the feature request.
Are your roles slack_user
and role_gitlab
realm-level roles or do you have two clients (slack and gitlab) each defining the corresponding role as a client-level role?
Regards
Sven-Torben
from keycloak-restrict-client-auth.
@sventorben, thanks for your quick answer.
I guess it can be either of them.
Maybe client-level role will be a bit cleaner for my use-case, but I wouldn't mind adding them as realm roles.
Full disclosure, before I was using this SPI https://github.com/thomasdarimont/keycloak-extension-playground/tree/master/auth-require-role-extension but unfortunately I couldn't make it work with the new version of Keycloak (quarkus distro)
Thanks a lot!
from keycloak-restrict-client-auth.
Can you elaborate a bit, why you need different names for the roles? If client-level roles work for you, then each role is already client-specific. Why would you want to encode the client name in the role name again?
from keycloak-restrict-client-auth.
Sorry for the confusion. I will try to explain my scenario better.
We have 2 different applications protected by Keycloak: GitLab and Slack. They are using 2 different keycloak clients.
Now, of all the users I have in Keycloak I ONLY want the ones that are in the group slack_users
to be able to login to Slack and ONLY the ones that are in gitlab_users
to be able to access GitLab.
The users in slack_users
and gitlab_users
are not the same.
My idea is to implement this restriction via "required roles", so in this case the authentication flow for the Gitlab
client will require the specific role (i.e gitlab_users_role
). This role will be mapped to the members of the gitlab_users
group.
Likewise for Slack but in this case with the slack_users
group and slack_users_role
.
But my understanding is that you can only configure one global role. So if I do:
spi-restrict-client-auth-access-provider-client-role-client-role-name=gitlab_users_role
It will be only restricting for the gitlab_users_role
.
I hope this makes better sense. Thank you very much.
from keycloak-restrict-client-auth.
Do you think this is something that can be achieved? Thanks!!
from keycloak-restrict-client-auth.
Indeed #118 (comment) looks like exactly what I need!
Danke schön Steven-Torben!!!
from keycloak-restrict-client-auth.
Related Issues (20)
- No access denied when access is denied HOT 8
- [Doumentation] Document usage with other flows than login flow
- How to make multiple groups and multiple clients restricted-access name HOT 8
- [BUG] restrict is by passed if user connects with token HOT 10
- Support for customised messages per client HOT 4
- [BUG] Error before authentication - invalid username password HOT 7
- [Feature] Keycloak Flow settings HOT 2
- No error access-denied will be show in the result browser windows HOT 10
- [Documentation] Update images in docs
- Unable to install the extension
- Client Restriction Fails with Internal Server Error HOT 1
- [Feature] Support a Docker-based release HOT 2
- [question] Policy-based mode
- User without restricted-access role is being able to authenticate. HOT 10
- [BUG] Cannot find authentication provider implementation with provider ID 'basic-auth' HOT 6
- [BUG] Extension not bein executed HOT 2
- Issue with Browser flow HOT 10
- [BUG] Unknown flow provider type HOT 1
- [BUG] Regex Policy based on multivalued attributes
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keycloak-restrict-client-auth.