Open realkarmakun opened 1 year ago
MarekPikula
commented
1 year ago It should be possible by using the groups in the OIDC provider. It could be done either on the provider side or the client. For example, the Nextcloud OIDC provider plugin has the option to constrain given OIDC clients to a specific group:
MarekPikula
commented
1 year ago Right now, I'm working on a significant refactor of the code base (mentioned in #73), so it could be addressed from the client (headscale-webui) side as well later next month.
maltegrosse
commented
1 year ago @MarekPikula great work! would love to have the OIDC group limitation on client side (perhaps just as an env variable?) Keycloak is sometimes abit complicated for this limitation :)
MarekPikula
commented
1 year ago Yup, that's the plan. First, I must finish the refactor, which takes much longer than expected. I hope to finish it by the end of the week. Once it's merged, I can work on group limitations from OIDC.
lzc256
commented
1 year ago @MarekPikula great work! would love to have the OIDC group limitation on client side (perhaps just as an env variable?) Keycloak is sometimes abit complicated for this limitation :)
Apologize for my disturbance. Would like to know if you have found out how to configure Keycloak to limit permission by groups. If so, could you please explain it briefly? Thanks a lot!
p.s. I have set the following policy and applied it with setting a permission with it. But it just didn't work. Any user is able to login and access headscale-webui even though the user is not in the group.
lzc256
commented
1 year ago btw, found something strange
evaluating the user shows that the user should be denied, however, actually the user can still log in and has access to headscale-webui.
Right now anyone that uses same OIDC is capable of viewing Admin Console. Is it possible to limit this besides usage of Basic Auth?