Open jonnytest1 opened 3 years ago
You're suggesting we add support for the Account API? I am not sure that's within scope as this project has a specific focus on the admin APIs.
Calling the Account API can be done directly from your frontend - there's no need to mix those capabilities, in my perspective.
the admin apis can also be called from the frontend - that shouldnt be the reason not to provide them to your library
@jonnytest1 why would you want to have them? How would it be useful?
to be able to manually update your user profile while only provding an account level token
@jonnytest1 so you have a script that logs in for each user to change their user profile? Wouldn't that mean that you have the username and password of each user? Or how would this work? Wouldn't it be more secure to do this via the admin console?
f each user? Or how would this work? Wouldn't it be more secur
the frontend does a backend call that is authorized by a user token the backend then wants to set a user attribute but only has the user token so the bakcend uses the admin client to update the user (however currently you need to uplevel to an admin token to update attrubtes the user token would have permissions for already since its only updating for the current user)
okay thanks @jonnytest1 I get it now, guess this could be a nice to have.
Is your feature request related to a problem? Please describe. When editing user attributes via api call i want to make sure there can be absolutely no privilege escalation thats why i want to use the user access token as authorization to set those attributes
Describe the solution you'd like An implementation of the interfaces defined in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java examples at the corresponding test file https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountRestServiceTest.java
Describe alternatives you've considered using the admin permissions with checks and hoping noone comes along in a few months that has no clue they have to check perms
Additional context