keycloak-nodejs-admin-client icon indicating copy to clipboard operation
keycloak-nodejs-admin-client copied to clipboard

Published 20 hours ago verified publisher icon keycloak

Add AccountRestService interfaces

Open jonnytest1 opened this issue 3 years ago • 7 comments

Is your feature request related to a problem? Please describe. When editing user attributes via api call i want to make sure there can be absolutely no privilege escalation thats why i want to use the user access token as authorization to set those attributes

Describe the solution you'd like An implementation of the interfaces defined in https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java examples at the corresponding test file https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountRestServiceTest.java

Describe alternatives you've considered using the admin permissions with checks and hoping noone comes along in a few months that has no clue they have to check perms

Additional context

jonnytest1 avatar Mar 09 '21 23:03 jonnytest1

You're suggesting we add support for the Account API? I am not sure that's within scope as this project has a specific focus on the admin APIs.

Calling the Account API can be done directly from your frontend - there's no need to mix those capabilities, in my perspective.

ath88 avatar Mar 17 '21 08:03 ath88

the admin apis can also be called from the frontend - that shouldnt be the reason not to provide them to your library

jonnytest1 avatar Mar 17 '21 08:03 jonnytest1

@jonnytest1 why would you want to have them? How would it be useful?

edewit avatar Nov 02 '21 13:11 edewit

to be able to manually update your user profile while only provding an account level token

jonnytest1 avatar Nov 02 '21 16:11 jonnytest1

@jonnytest1 so you have a script that logs in for each user to change their user profile? Wouldn't that mean that you have the username and password of each user? Or how would this work? Wouldn't it be more secure to do this via the admin console?

edewit avatar Nov 05 '21 11:11 edewit

f each user? Or how would this work? Wouldn't it be more secur

the frontend does a backend call that is authorized by a user token the backend then wants to set a user attribute but only has the user token so the bakcend uses the admin client to update the user (however currently you need to uplevel to an admin token to update attrubtes the user token would have permissions for already since its only updating for the current user)

jonnytest1 avatar Nov 05 '21 13:11 jonnytest1

okay thanks @jonnytest1 I get it now, guess this could be a nice to have.

edewit avatar Nov 08 '21 09:11 edewit