0

My application should know user's roles.

It has clientId/clientSecret pair. Probably, I even can enable service account for this client.

I found endpoint GET /{realm}/clients/{id}/roles/{role-name}/users (doc)
But for using this endpoint service account must have realm-management/view-clients (${role_view-clients}) role.

Also, this role allows view secret of another clients.

But I don't want to leave an opportunity for this application to intrude to work of another clients, so getting this role comes with a lot of responsibility.

So, question:
How to get user's roles (my client's roles) in safe way?

I've used this script to play with REST Api:

KEYCLOAK_HOST=http://localhost:8080
KEYCLOAK_REALM=testrealm
KEYCLOAK_CLIENT_ID=testclient
KEYCLOAK_CLIENT_SECRET=0TNKx16HJ8ITwnh4wzJluzbAWPDn826m
KEYCLOAK_ROLE=testrole1

ACCESS_TOKEN=$(curl -X POST "${KEYCLOAK_HOST}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
  -d "client_id=${KEYCLOAK_CLIENT_ID}" \
  -d "client_secret=${KEYCLOAK_CLIENT_SECRET}" \
  -d 'grant_type=client_credentials' \
  | jq -r '.access_token')

# list all clients
# curl -X GET "${KEYCLOAK_HOST}/admin/realms/${KEYCLOAK_REALM}/clients" \
#   -H "Content-Type: application/json" \
#   -H "Authorization: Bearer $ACCESS_TOKEN" \
#   | jq .

# KEYCLOAK_CLIENT_UID=de077e77-a1b0-4d52-96c5-0e1a591bfbe0
KEYCLOAK_CLIENT_UID=$(curl -X GET "${KEYCLOAK_HOST}/admin/realms/${KEYCLOAK_REALM}/clients?clientId=${KEYCLOAK_CLIENT_ID}" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  | jq -r '.[0].id')

# list users with specified role
curl -X GET "${KEYCLOAK_HOST}/admin/realms/${KEYCLOAK_REALM}/clients/${KEYCLOAK_CLIENT_UID}/roles/${KEYCLOAK_ROLE}/users" \
  -H "Accept: application/json" \
  -H "Authorization: Bearer $ACCESS_TOKEN" | jq .

  • `view-clients` is minimum role for getting a specific client 's the user list of role. – Bench Vue Nov 04 '22 at 14:47
  • So, there is no way for specific client to get his users roles without possibility of reading secrets of other clients?.. :'( Maybe I don't understand what client is for? – Smith John Nov 05 '22 at 04:56
  • Yes, no way to limit the specific client only see her role of users. Realm vs Client is confusing my simple understanding that a realm is a software application(examples : stack overflow web site, yahoo finance). A client is components of realm (example: frontend, backend, resource server or micro service). This thread explained the realm and client. https://stackoverflow.com/questions/56561554/keycloak-realm-vs-keycloak-client ,the `view-client` can't see other client secrets. The `manage-client` can change the secret. it also can't see at all. – Bench Vue Nov 05 '22 at 09:47
  • hmm... 18.0.0 hides secrets, but 20.0.0 shows all... is it bug? – Smith John Nov 05 '22 at 16:23
  • some scripts to reproduce (dont afraid of lot of code, check test-18.sh and test-20.sh): https://gist.github.com/SilentSpammer/7d633e10530679b2504eac3ee393fc38 (results attached to this gist too) – Smith John Nov 05 '22 at 18:13

0 Answers0