Closed msiegenthaler closed 3 years ago
Hi, I can understand why this is confusing but this is an intentional feature due to simplicity. But I see that it is necessary to update the README to explain the details.
Applying roles to specific endpoints will activate the authorization. If no roles are applied the authorization is assumed to be turned off and anyone may access the endpoints. As soon as you apply a role to an endpoint the authorization is enabled again but just for this specific endpoint.
There are several usecases:
So basically for as long as an authorization list is empty the authorization feature is disabled for this specific usecase.
Please close the ticket if this has answered your question. If not feel free to clarify if I misunderstood your problem.
Thanks a lot for the explanation, this makes it clearer. I'm still concerned about the default that are chosen. I just tested with a realm of mine where I didn't configure SCIM at all (is was enabled by default after installing the extension): Any access token (I took one from a user without any roles) was now able to read and modify all user/group data in Keycloak. I think this is a huge security risk - say somebody activates the extension and wants to configure it later on: basically all his data will be open to any attacker - not only Keycloak but of course also the data of the application connected to Keycloak. It's made even worse by the fact he might think that SCIM didn't even load because they can't see it in keycloak navigation (because they failed to follow the manual and to activate the theme)
What I propose:
Option c) seems the least attractive to me, but is probably the easiest. Option b) would be pretty nice I think because it'd be the least surprising thing (of course only someone who can add a user in Keycloak itself will be able to do so via SCIM). Option a) is the obvious one although a bit intrusive.
Just curious: What is the use case of using SCIM without Authorization (or even Authentication)? Seems pretty risky to me
BTW: I'm glad to contribute something, as soon as we figure out the best way to do it
I agree this is something that should be fixed. This is one of the problems if someone works alone on such projects. It did not come to me that someone would leave the endpoints unconfigured after installation...
Tip: best way to do it:
RealmRoleInitializer
ScimResourceTypeService#createNewResourceTypeEntry(ResourceType, RealmModel)
EDIT: this will have an impact on the integration-tests. Note to the integration-tests: The integration tests are currently only running with the local setup since the selenium-testcontainers docker image does not seem to work with the current version of docker-desktop for windows
I created #9 and #10 to tackle the issue. Let me know what you think
I added a readme to the integration-test module: https://github.com/Captain-P-Goldfish/scim-for-keycloak/tree/master/scim-for-keycloak-frontend-integration-tests
I am going to close this one. I added some security considerations into the README.MD file
First thanks for this great extension! What I didn't gasp is what permissions are checked on the account that calls the SCIM endpoints. I created a client with a service account and that was immediately allowed to create, modify and delete all users/groups - I had no roles assigned to it. Is that because it was a service account or could any user with basic login capabilities do that? That in combination with the default settings (SCIM On on every realm, no restriction on the client) would be pretty open door.
I then restricted the SCIM access to the specific client which was enforced, but I am a bit unsure about the general security esp. if someone creates a new realm. Can you enlighten me?