Alvearie / keycloak-extensions-for-fhir

Keycloak extensions for FHIR
Apache License 2.0
54 stars 21 forks source link

Support associating a serviceAccount user with a particular group #33

Open lmsurpre opened 2 years ago

lmsurpre commented 2 years ago

Since the IBM FHIR Server defaults to using the group claim when mapping to security-role, requests from a serviceAccount (like in the newly introduced SMART Backend Services config) must belong to a group in order to be consider authorized.

Tasks for making this easier to implement

  1. support configuration of group membership for service accounts
  2. update the smart-backend-services sample config to ensure the infernoBulk client's service account (service-account-infernoBulk) is associated with the fhirUser group

Here's what those steps look like from the UI: image

keycloak console

lmsurpre commented 2 years ago

for "normal" users, keycloak supports the notion of a "default group" and we use that to ensure all users will get the group membership by default. what would be nice is if there were a similar concept for service account users...otherwise we're stuck either: A. registering all clients via keycloak-config; or B. documenting how to manually add the service accounts to the fhirUser group