Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fine-grained admin permission client manage does not work #20431

New issue
New issue
Closed as not planned
Closed as not planned
Fine-grained admin permission client manage does not work#20431
Assignees
ssilvert
Labels
area/admin/uihelp wantedkind/bugCategorizes a PR related to a bugpriority/normalteam/ui
Milestone
26.0.0
@david-hanger

Description

@david-hanger
david-hanger
opened on May 17, 2023

Before reporting an issue

  • I have searched existing issues
  • I have reproduced the issue with the latest release

Area

admin/fine-grained-permissions

Describe the bug

Tested in both versions 21.1.1 and 20.0.3, the client manage permission does not work as documented, from the feature admin-fine-grained-authz. An authorized user can see the client (given the additional documented role), and the UI appears to allow editing the client's General Settings tab. But clicking the Save button yields a 403 Forbidden response with only "unknown error". The Keycloak logs do not emit any details about the incident.

Version

21.1.1

Expected behavior

Following the documentation for fine-grained client admin privileges should result in the behavior described in the documentation, in this case specifically allowing the assigned user the capability to edit settings for the target client. This apparent bug may be specific to the client manage and configure permissions, because the map-roles and map-roles-composite permissions work as documented.

Actual behavior

Following the documentation for fine-grained client admin privileges results in a user who can view the client settings and modify those settings in the UI but who cannot save those settings, receiving instead a "403 Forbidden" with the message "unknown error".

How to Reproduce?

  1. Stand up MariaDB
    • Container image docker.io/bitnami/mariadb-galera:10.10.2
    • We use a 3-node cluster
    • Can provide additional baseline settings if needed, but they shouldn't be relevant
  2. Stand up Keycloak
    • Container image quay.io/keycloak/keycloak:21.1.1
    • We use a 3-node cluster behind a TLS-terminating load balancer
    • start --features=admin-fine-grained-authz
    • Environment variables, excluding sensitive values: 
      KC_CACHE_STACK=ec2
KC_DB=mariadb
KC_HEALTH_ENABLED=true
KC_HOSTNAME_STRICT=false
KC_HOSTNAME_STRICT_HTTPS=false
KC_HTTP_ENABLED=true
KC_PROXY=edge
KC_SPI_TRUSTSTORE_FILE_FILE=/opt/keycloak/conf/truststore.jks
KC_TRANSACTION_XA_ENABLED=false
PROXY_ADDRESS_FORWARDING=true
  3. Create a realm
  4. Create a client
  5. Create a user
  6. Follow the documentation for managing one specific client
    • Proceed all the way through that section, ending with This admin is now able to manage this one client.
  7. Open the client settings (using the just-assigned restricted admin user)
  8. Make changes (e.g. edit the Description field)
  9. Click Save at the bottom
  10. Observe the error

Anything else?

Our team is trying to provide developers on our platform with the capability to administer their own team's client settings, but without the ability to affect any other team's clients. We upgraded from Keycloak 18 to Keycloak 20 to specifically add this fine-grained admin capability, but it does not do what our users need it to do. Our workaround is to have our multiple dozen development teams contact us for any change they need to make to any of their clients, which quickly bogs our small team down with busywork. Having this feature work correctly would be a huge load off our proverbial backs.

Metadata

Metadata

Assignees

Labels

area/admin/uihelp wantedkind/bugCategorizes a PR related to a bugpriority/normalteam/ui

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions