SCIM API security

[msiegenthaler]

First thanks for this great extension! What I didn't gasp is what permissions are checked on the account that calls the SCIM endpoints. I created a client with a service account and that was immediately allowed to create, modify and delete all users/groups - I had no roles assigned to it. Is that because it was a service account or could any user with basic login capabilities do that? That in combination with the default settings (SCIM On on every realm, no restriction on the client) would be pretty open door.

I then restricted the SCIM access to the specific client which was enforced, but I am a bit unsure about the general security esp. if someone creates a new realm. Can you enlighten me?

[Captain-P-Goldfish]

Hi, I can understand why this is confusing but this is an intentional feature due to simplicity. But I see that it is necessary to update the README to explain the details.

Applying roles to specific endpoints will activate the authorization. If no roles are applied the authorization is assumed to be turned off and anyone may access the endpoints. As soon as you apply a role to an endpoint the authorization is enabled again but just for this specific endpoint.

There are several usecases:

1. Access is granted to another machine e.g. by Client Credentials Grant. If you activated authorization on the specific endpoints the Client must have the necessary roles applied to the service account.
2. Lets assume you add additional functionality to keycloak with several new defined SCIM endpoints that are utilizing complex authorization. The endpoints are accessed by a online service that delegates UserAccessTokens acquired by the authorization code flow to keycloak. The online service provides HTML pages to manage the SCIM endpoints. In this case you might choose to add the client to the list of authorized clients (If the list is empty any client is assumed to be allowed). The client itself will then delegate the token to keycloak and the scim-for-keycloak API checks if the token was issued to a client of the authorized clients list and will then check the necessary roles to access the specific endoints.

So basically for as long as an authorization list is empty the authorization feature is disabled for this specific usecase.

[Captain-P-Goldfish]

Please close the ticket if this has answered your question. If not feel free to clarify if I misunderstood your problem.

[msiegenthaler]

Thanks a lot for the explanation, this makes it clearer. I'm still concerned about the default that are chosen. I just tested with a realm of mine where I didn't configure SCIM at all (is was enabled by default after installing the extension): Any access token (I took one from a user without any roles) was now able to read and modify all user/group data in Keycloak. I think this is a huge security risk - say somebody activates the extension and wants to configure it later on: basically all his data will be open to any attacker - not only Keycloak but of course also the data of the application connected to Keycloak. It's made even worse by the fact he might think that SCIM didn't even load because they can't see it in keycloak navigation (because they failed to follow the manual and to activate the theme)

What I propose:

• Deactivate SCIM for a realm by default. Then we make sure that the admin actually knowns where it's turned on.
• and either (one of):
  • a) Add a realm-role that will grant access to the SCIM API (i.e. "scim-api-all-access") and then assign that as the authorization for all resource types
  • b) Require the user to have the appropriate default realm-management roles (defined on the realm-management client). By that I mean to check that the user calling the SCIM API has e.g. "manage-users" to edit the users or "query-users" to list the users (same for groups and roles).
  • c) If no clients are assigned (Service Provider -> Authorization) then allow no access.

Option c) seems the least attractive to me, but is probably the easiest. Option b) would be pretty nice I think because it'd be the least surprising thing (of course only someone who can add a user in Keycloak itself will be able to do so via SCIM). Option a) is the obvious one although a bit intrusive.

Just curious: What is the use case of using SCIM without Authorization (or even Authentication)? Seems pretty risky to me

BTW: I'm glad to contribute something, as soon as we figure out the best way to do it

[Captain-P-Goldfish]

I agree this is something that should be fixed. This is one of the problems if someone works alone on such projects. It did not come to me that someone would leave the endpoints unconfigured after installation...

Tip: best way to do it:

1. create the role in class RealmRoleInitializer
2. apply the roles in ScimResourceTypeService#createNewResourceTypeEntry(ResourceType, RealmModel)

EDIT: this will have an impact on the integration-tests. Note to the integration-tests: The integration tests are currently only running with the local setup since the selenium-testcontainers docker image does not seem to work with the current version of docker-desktop for windows

[msiegenthaler]

I created #9 and #10 to tackle the issue. Let me know what you think

[Captain-P-Goldfish]

I added a readme to the integration-test module: https://github.com/Captain-P-Goldfish/scim-for-keycloak/tree/master/scim-for-keycloak-frontend-integration-tests

[Captain-P-Goldfish]

I am going to close this one. I added some security considerations into the README.MD file