Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Keycloak: Role based client log-in access restriction for users

Tags:

security

openid-connect

vue.js

keycloak

I am trying to achieve fairly simple usecase of role based client application (VueJS multi-page applications) control using the keycloak.

Client role mapping

As shown in image, I have three different roles and three different clients in single realm.
The arrow in the image represents which role can access which client.

So my main objectives are,

  • User with role Viewer should only be able to log-in to the Viewer Application. If the same user tries to access the Operator Application or Admin application then keycloak should simply deny this user from doing so.
  • The same rules should follow for users with Admin and Operator role. Users of Admin role should be able to log-in to any of these application by keycloak.

To achieve this usecase I tried following ways,

  • First by appropriate role mapping to users and role creation in the clients. In this case, I create realm level roles and then client level roles, then assigned appropriate roles to the users created in the user section.
  • Enabling the Authorization. In the policies, I removed default policy that grant all users access to the client. And create a User policy and Client policy to restrict the access to client application
  • Also tried with Group based authorization policy. In this case, I created a group with client role and then assigned user to these groups. And enabled them from the Authorization group policy.

But, unfortunately none of this works. Meaning my user with Viewer role can log-in to my admin application. Which is just strange.

like image 888
Suraj Avatar asked Jul 31 '19 09:07

Suraj

People also ask

What is user managed access in Keycloak?

Resource owners are allowed to manage permissions to their resources and decide who can access a particular resource and how. {project_name} can then act as a sharing management service from which resource owners can manage their resources.

How do I set permissions on a Keycloak?

The first step to enable Keycloak Authorization Services is to create the client application that you want to turn into a resource server. Click Clients. On this page, click Create client. Type the Client ID of the client.

How does a user log into a Keycloak?

To access the admin console, open http://localhost:8080/auth/admin/ in a browser. You will be redirected to the Keycloak login pages, where you can log in with the admin username and password you created in the previous section while installing Keycloak.

Video Answer

2 Answers

You can do this without extensions.

  • Copy the desired flow (e.g. the browser flow)
  • Create a new sub flow (e.g. for the browser forms) and call it Access By Role and select generic as type.
  • For the new sub flow ensure that CONDITIONAL is selected in the flow overview.
  • For the new sub flow add execution Condition - User Role, make it REQUIRED and configure it:
    • alias: admin-role-missing
    • role: admin (or whatever your role is)
    • negate: true
  • Add another execution: Deny Access and make it REQUIRED as well.

The final result should look similar to this: enter image description here

This will deny access if the condition "admin-role-missing" is true.

You an also learn more from the docs: explicitly-deny-allow-access-in-conditional-flows

Also, don't forget to go to your client and select the flow in the authentication overrides.

like image 174
Stuck Avatar answered Sep 20 '22 20:09

Stuck

I managed almost the same problem using KeyCloak extension SPI. After the deployment you will have additional configurable "execution" in authentication flows available, named "Validate User Role".

The auth flow then look's like : example auth flow

This execution must be placed after the "Username Password Form" (or other form which authenticates user) or the authentication will fail.

The source code is here : https://github.com/ValentinChirikov/kc_user_role_validate_extension

like image 23
valc Avatar answered Sep 19 '22 20:09

valc
Sign in to Comment

Related questions

How can I scan/fuzz my code for vulnerabilites?
How to prevent a specific directory from running Php, Html, and Javascript languages?
Deciphering this XSS attack [closed]
How to protect a website from DoS attacks
Form without CSRF token: what are the risks
$('iframe').css('visibility','hidden') not working in Google chrome
Is there a way to stop Rails' built-in server from listening on 0.0.0.0 by default?
Dynamic Analysis of PHP Web Applications to identify work flow deviations
Use SHA-512 and salt to hash an MD5 hashed password?
How to view NSString defined in a given iOS ipa file
Security concerns about CORS
SecurityException: Not allowed to start service Intent { act=com.google.android.c2dm.intent.REGISTER pkg=com.google.android.gms (has extras) }
What is the vulnerability ALLOWED_HOSTS is defending against?
Cross Site History Manipulation resolution
How to access to my own API from my web application securely?
Error when enabling data encryption using local key MONGODB
configuring Content-Security-Policy in tomcat
iOS 10: Apple transport security "exception domains" no longer working
Concurrent Ajax requests in Chrome
How npm audit works?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!