Skip to content

Commit

Permalink
docs: Add security considerations
Browse files Browse the repository at this point in the history 
Relates to #160, #117, #114, #121
  • Loading branch information
@sventorben
sventorben committed Apr 18, 2023
1 parent 920da86 commit afe970f
Showing 1 changed file with 18 additions and 3 deletions.
21 changes: 18 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ This is a simple Keycloak authenticator to restrict user authorization on client

## What is it good for?

Every now and then I get asked whether it is possible to restrict user authorization on certain clients.
Sometimes I get asked whether it is possible to restrict user authorization on certain clients.

Generally the question goes like this

Expand Down Expand Up @@ -81,10 +81,9 @@ Packages are being released to GitHub Packages. You find the coordinates [here](

It may happen that I remove older packages without prior notice, because the storage is limited on the free tier.


## How to configure?

* Create a new flow
* Create a new flow per binding (e.g. browser flow, direct grant flow etc.)
* Add a sub-flow e.g. named `Login` and mark it as `Required`
* Add an authenticator execution `Restrict user authentication on clients` and mark the execution as `Required`.
* Within the `Login` sub-flow add authenticators/executions/conditionals and further sub-flows as needed (see [Keycload documentation for details](https://www.keycloak.org/docs/21.0.1/server_admin/#_authentication-flows)
Expand All @@ -99,6 +98,22 @@ It may happen that I remove older packages without prior notice, because the sto
>
> The authenticator needs a user identity to check whether the user has the desired role or not. Hence, ensure that you have steps/executions in your flow prior to this authenticator that can ensure user's identity.
<div style="background-color: rgba(255, 0, 0, 0.25);">

> 🛑️ **Security considerations**:
>
> Please be aware of the following when using this authenticator:
>
> * **Protect all possible flows:**
>
> Ensure that you protect access to your clients in all flows, not just the browser flow. Failure to do so may allow malicious users to obtain access or identity tokens via other flows.
> Especially post login flows of identity providers and flows used in authentication flow overrides are often overlooked.
> * **Disable the `Audience Resolve` mapper if necessary:**
>
> The [`Audience Resolve` protocol mapper](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) is enabled by default by client scope `roles`, but it may be necessary to remove it in some cases.
> Failing to set up audience claims correctly may result in a token containing the restricted client as an audience claim, even if the user does not have access to that client.
</div>
### Client Role based mode

1) Configure the authenticator by clicking on `Actions -> Config` and select `client-role` as the `Access Provider`.
Expand Down

0 comments on commit afe970f

Please sign in to comment.