Users always get Full Access

Getting advice
1

Hi,

I’m working on applying Authorization flows to the Clients registered on my Keycloak instance, and have been able to set up a Resource-Policy-Permission chain that means only users that are part of a certain group can access the Client. This, I’ve been able to Evaluate and see certain users get denied from, but for some reason the users I am testing it on are always getting Granted Permissions: Full Access when I inpersonate them to try it out.

The Authorization definitions are as follows:

  • Settings:
    Policy Enforcement Mode: Enforcing
    Remote Resource Management: Off
  • Resources:
    Default Resource (Type: urn:nodered:resources:default, URI: /*)
  • Authorization Scopes:
    None
  • Policies:
    • Name: Check role
    • Realm Role:
      • Name: Allowed
      • Required: True
    • Logic: Positive
  • Permissions
    • Name: Access site
    • Resources: Default Resource
    • Apply Policy: Check role
    • Decision Strategy: Unanimous

What messes with me is that the Evaluation works, but that it in practice doesn’t, and the user that is evaluated to be Denied can authenticate, authorize and access the client site without a problem.

Any ideas, where am I going wrong?
If any more information is needed, I’m happy to add more (albeit maybe slightly redacted).

2

Thanks. Let’s discuss on https://issues.redhat.com/browse/KEYCLOAK-13387.

1 Like
3

From pedroigor @ https://issues.redhat.com/browse/KEYCLOAK-13387:

We don’t have anything OOTB that could restrict access to applications when users are authenticating to your applications. For that, you would need to customize your authentication flow and use a JavaScript Authenticator that decides whether or not the user is allowed to proceed in the authentication process.

You may also take a look at the Client Authorization Extension. See Extensions - Keycloak. Note that this is not supported by us but an extension provided by our community.

The Authorization Services capabilities are mainly about enforcing access to protected resources in your application after the user is authenticated. That is why you need to enable the policy enforcer.

I think the Client Authorization Extension is exactly what I’m looking for, hopefully this can help someone else as well.