Closed dowhiletrue closed 2 years ago
Hi @dowhiletrue,
by default, the input definition of the CLI is the same as an export format of a realm. I have no idea, if the UUID is random OR the UUID is related to the client itself.
I never worked with admin_fine_grained_authz
. Is it possible to describe the flow in the UI, how I can configure the policies inside the Keycloak step by step? Then I can look into it.
Hi @jkroepke
Sure, here it is:
1) add JAVA_OPTS: '-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled'
in environment
in docker-compose.yml
and start the keycloak
containter
1) create a new realm: fine-grained
1) add new group with name client-admin-group
1) add new client using defaults and name it fine-grained-permission-client
1) navigate to the brand-new tab Permissions
and set Permissions Enabled
to ON
1) click Configure
1) select Create Policy
and select Group
1) Enter clientadmin-policy
as name and select client-admin-group
, hit Save
This should enable users in the group client-admin-group
to configure fine-grained-permission-client
In realm-management
-> Authorization
-> Policies
the clientadmin-policy
appears and Dependent Permissions
underneath contains the client with UUID, something like configure.permission.client.[UUID]
.
A full export now contains the newly created entry in authorizationSettings.resources
and authorizationSettings.policies
Similar use-cases can be found here
Hi,
thanks for provide a step by step manual.
I look into it, and keycloak-config-cli currently not supports fine granted authz. I implement some additional code locally, but keycloak throws 500 server errors without any additional Information.
I or someone else have to look deeper into it. I can't not garantuee any solution soon since its really complex from REST API site. The documentation only provides a way through the WebUI. API calls needs to be reverse engineered.
Had some success, could you try if the #650 it its for you?
Take a note: if instead the uuid suffix, you can use $clientId
suffix, too. See some examples in the PR.
Hi @jkroepke
At first glance, https://github.com/adorsys/keycloak-config-cli/pull/650 seems to work well using the $clientId
notation.
Thank you very much!
Hi @dowhiletrue,
glad to hear that it covers you case. I have currently serious issues around remove such policies from Keycloak through keycloak-config-cli. Additionally, the new Quarkus distribution have a different behavior compared to the legacy (Wildfly) distribution. It will take some more time to merge the linked PR.
The minimal json in https://github.com/adorsys/keycloak-config-cli/issues/231#issue-727402130 creates a policy
![configure-permission](https://user-images.githubusercontent.com/6775041/155524705-b5a569b7-2c41-4505-8a09-92b64c068f8d.png)
esb-token-exchange
in the clientrealm-management
. If fine-grainded authorization (keycloak.profile.feature.admin_fine_grained_authz=enabled
) is enabled, the policyesb-token-exchange
can be applied in clientesb-token-exchange
afterwards:An export of the realm now contains additional entries in
authorizationSettings.resources
andauthorizationSettings.policies
having an UUID set in their name e.g.:I wonder how these policies can be applied using the cli?
Env: