search

anarsultanov / keycloak-multi-tenancy

Keycloak extension for creating multi-tenant IAM for B2B SaaS applications.
Apache License 2.0
103 stars 11 forks source link

Enhancement Request: Implement Role-Based Access Control for Tenant Creation Endpoint #13

Closed oleaasbo closed 5 months ago

oleaasbo commented 5 months ago

Currently, the POST endpoint for creating a tenant doesn't have specific restrictions. This setup could potentially allow any user with API access to create new tenants.

Suggested Enhancement: I propose implementing a role-based access control for the tenant creation endpoint. This would align with how Keycloak handles API management in general. In my current setup, I issue API tokens to my customers by creating a Keycloak client with a service account, using a predefined Keycloak client (named api-cli). This client is not allowed to interact with the Keycloak API unless I assign a service account role of realm-management - manage-clients.

Proposed Implementation: For the tenancy API, I suggest a similar approach where a service account role (e.g., realm-management - manage-tenants) is required to manage tenant creation. This role would only be assigned to my predefined api-cli client. By doing so, it ensures that API tokens held by my customers cannot create tenants unless I explicitly add this role to their service account, which I intend not to do. In my application, creating a new tenant is a paid feature, and this change would add an extra layer of control and security.

Additional Consideration: This suggestion needs some careful thought, especially in relation to the feature where users are forced to create a tenant if not a member of one. I have this feature disabled in my application, but the proposed enhancement should ideally be compatible with both scenarios.

Thank you for considering this enhancement. I believe it would be a valuable addition to the API.

anarsultanov commented 5 months ago

Hi @oleaasbo,

This is certainly a valid use case, but I'll need some time to consider how to implement this in a way that maintains backward compatibility.

Thank you for your suggestion!

Regards, Anar

anarsultanov commented 5 months ago

@oleaasbo could you take a look at the PR and let me know if this addresses your needs and fits into your existing setup?

oleaasbo commented 5 months ago

I am on holiday now. Will take a look 1. Feb!

anarsultanov commented 5 months ago

No problem. I've merged the PR, but feel free to comment if this solution doesn't work for you for some reason.