Prevent clients listing in account console
1,315 views
Skip to first unread message
lee.h...@gmail.com
Feb 18, 2021, 1:51:41 PM2/18/21
to Keycloak User
Dear List,
I have searched widely, and have found no way (perhaps a custom template that does not list clients?) to prevent clients to be visible in the account console.
To set the scene, our requirements is SSO for lots of API integrations (service accounts that are implemented as a single-use Keycloak client with lots of attributes statically mapped into their access tokens) and also human users using the SSO along side deferated log-in, into similar apps, sometimes a client is both used for service accounts and human-log in (an example is one of our homebrew Slack bots), but often times the clients for human users, and the clients for specific use-case for our business clients are totally exclusive.
Listing the names of all our (service account) clients in the human clients account console is close to something I would consider a data breach, as many of these "clients" carry the names and use-cases of our business partners.
Is there something I have overlooked, or some profound misconfiguration I have simply misunderstood? This seems like a super basic thing to be able to do (maybe, the answer is to put those secret things in another realm..?)
Thanks so much, this list is a goldmine.
Stan Silvert
Feb 19, 2021, 6:08:50 PM2/19/21
to keyclo...@googlegroups.com
Do you mean that you just want to hide
the applications page in the new account console?
If so, just edit content.json and make hidden = true
If so, just edit content.json and make hidden = true
{
"id": "applications",
"icon": "pf-icon-applications",
"path": "applications",
"label": "applications",
"descriptionLabel": "applicationsIntroMessage",
"modulePath": "/content/applications-page/ApplicationsPage.js",
"componentName": "ApplicationsPage",
"hidden": true,
},--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/3de468b7-0de2-4cc9-a578-32bfe429de81n%40googlegroups.com.
Lee Hambley
Feb 22, 2021, 1:52:53 PM2/22/21
to Stan Silvert, keyclo...@googlegroups.com
Hi Stan,
That's very helpful thank you. Does that leave open a vector by which someone would be able to query the key-cloak APIs to fetch the list of clients, or is disabling this in the active account-console template sufficient?
Kind regards,
Lee Hambley
You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/71efA8owMiI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/1866cfe1-a679-968d-af2e-ae42644df2eb%40redhat.com.
Stan Silvert
Feb 22, 2021, 2:16:35 PM2/22/21
to Lee Hambley, keyclo...@googlegroups.com
I don't think we haven anything at the
API level which would do the kind of filtering you want.
Do me a favor though. Try the old account console and see if it has the same behavior. To do this, just go to Realm Settings --> Themes in the admin console. Then set Account Theme to "keycloak".
Do me a favor though. Try the old account console and see if it has the same behavior. To do this, just go to Realm Settings --> Themes in the admin console. Then set Account Theme to "keycloak".
Lee Hambley
Mar 2, 2021, 4:09:23 AM3/2/21
to keyclo...@googlegroups.com
I don't think we haven anything at the API level which would do the kind of filtering you want.
Does that mean that it's always possible for someone to find some KeyCloak API and speak to it with an Account Console (for e.g) originated token and list clients? I don't think so, right? I tried, and it doesn't seem like my token is valid which I consider the "correct" behaviour. (https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_clients_resource)
Do me a favor though. Try the old account console and see if it has the same behavior. To do this, just go to Realm Settings --> Themes in the admin console. Then set Account Theme to "keycloak".
The only options I have are "base" and "keycloak" along-side the template I made for myself (which only includes login, not account console).
That rather suggests I don't have the keycloak v2 theme which appears to be a React SPA ? (https://github.com/keycloak/keycloak/tree/master/themes/src/main/resources/theme/keycloak.v2) Probably the version of KeyCloak I am using (which was the `:latest` tag on the official Docker image) is outdated, somehow.
Thanks so much for all your assistance so far.
Stan Silvert
Mar 9, 2021, 1:54:31 PM3/9/21
to keyclo...@googlegroups.com
On 3/2/2021 4:09 AM, Lee Hambley wrote:
I don't think we haven anything at the API level which would do the kind of filtering you want.
Does that mean that it's always possible for someone to find some KeyCloak API and speak to it with an Account Console (for e.g) originated token and list clients? I don't think so, right? I tried, and it doesn't seem like my token is valid which I consider the "correct" behaviour. (https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_clients_resource)
You do have to get through Keycloak security to use the API. Any
client can use the new account API if they are authenticated. I'm
just not sure we have the kind of filtering you wanted once you are
authenticated to use the API.
Do me a favor though. Try the old account console and see if it has the same behavior. To do this, just go to Realm Settings --> Themes in the admin console. Then set Account Theme to "keycloak".
The only options I have are "base" and "keycloak" along-side the template I made for myself (which only includes login, not account console).
If you are using the new account console then by default your theme
choices for "Account Theme" will be "base", "keycloak", and
"keycloak.v2". Sounds like maybe you were looking at the login
theme? For those, the default values are just "base" and
"keyclaok".
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/CAN_%2BVLWCATWQMmKC%2BS-PcgdkRvrzdXaQ6ttqY48X-5p9ywGaOQ%40mail.gmail.com.
Lee Hambley
Apr 6, 2021, 8:15:48 AM4/6/21
to Stan Silvert, keyclo...@googlegroups.com
Hi Stan,
Sorry for letting the thread go cold, I was pulled away to another project temporarily.
I'm on KeyCloak 11.0.3 via Docker (hash f77fdafa75b) from JBoss' Docker Hub account, and on that version is only one theme the old "keycloak" one that doesn't seem to be an SPA.
Non-the-less, the advice stands I guess, to simply comment out, or check for conditional template variables to remove this list.
Thanks so much.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/8d6e84dc-376f-0c30-8a6c-a3818bea2507%40redhat.com.
Reply all
Reply to author
Forward
0 new messages