search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
22.21k stars 6.61k forks source link

Add AccountRestService interfaces #16939

Open jonnytest1 opened 3 years ago

jonnytest1 commented 3 years ago

Is your feature request related to a problem? Please describe. When editing user attributes via api call i want to make sure there can be absolutely no privilege escalation thats why i want to use the user access token as authorization to set those attributes

Describe the solution you'd like An implementation of the interfaces defined in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java examples at the corresponding test file https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountRestServiceTest.java

Describe alternatives you've considered using the admin permissions with checks and hoping noone comes along in a few months that has no clue they have to check perms

Additional context

ath88 commented 3 years ago

You're suggesting we add support for the Account API? I am not sure that's within scope as this project has a specific focus on the admin APIs.

Calling the Account API can be done directly from your frontend - there's no need to mix those capabilities, in my perspective.

jonnytest1 commented 3 years ago

the admin apis can also be called from the frontend - that shouldnt be the reason not to provide them to your library

edewit commented 2 years ago

@jonnytest1 why would you want to have them? How would it be useful?

jonnytest1 commented 2 years ago

to be able to manually update your user profile while only provding an account level token

edewit commented 2 years ago

@jonnytest1 so you have a script that logs in for each user to change their user profile? Wouldn't that mean that you have the username and password of each user? Or how would this work? Wouldn't it be more secure to do this via the admin console?

jonnytest1 commented 2 years ago

f each user? Or how would this work? Wouldn't it be more secur

the frontend does a backend call that is authorized by a user token the backend then wants to set a user attribute but only has the user token so the bakcend uses the admin client to update the user (however currently you need to uplevel to an admin token to update attrubtes the user token would have permissions for already since its only updating for the current user)

edewit commented 2 years ago

okay thanks @jonnytest1 I get it now, guess this could be a nice to have.