pgadmin4 icon indicating copy to clipboard operation
pgadmin4 copied to clipboard

Published 20 hours ago verified publisher icon pgadmin-org

Keycloak SSO with Permissions

Open adussarps opened this issue 7 months ago • 0 comments

Please note that security bugs or issues should be reported to [email protected].

In Keycloak it's possible to set up permissions as part of the permissions flows (documentation here)[https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions].

I'm trying to use this behavior in Keycloak to limit the access to pgadmin to some users with the given permissions.

To obtain this behavior, I extend the token endpoints with the permissions parameters as so:

const tokenUrlPermissionSearchParams = new URLSearchParams();
		tokenUrlPermissionSearchParams.append(
			'grant_type',
			'urn:ietf:params:oauth:grant-type:uma-ticket'
		);
		tokenUrlPermissionSearchParams.append('permission_resource_format', 'uri');
		tokenUrlPermissionSearchParams.append(
			'permission_resource_matching_uri',
			'true'
		);
		tokenUrlPermissionSearchParams.append('audience', 'resource-server');
		tokenUrlPermissionSearchParams.append('response_mode', 'permissions');
		tokenUrlPermissionSearchParams.append(
			'response_include_resource_name',
			'true'
		);
		# Add the requested permission
		tokenUrlPermissionSearchParams.append(
			'permission',
			`/A/B/#POST`
		);

		const oauth2Config = [
			{
				// The name of the oauth provider, ex: github, google
				OAUTH2_NAME: 'keycloack',
				// The display name, ex: Google
				OAUTH2_DISPLAY_NAME: 'Webcapsule',
				// Oauth client id
				OAUTH2_CLIENT_ID: props.keycloakClient.clientId,
				// Oauth secret
				OAUTH2_CLIENT_SECRET: props.keycloakClient.secret,
				// URL to generate a token,
				// Ex: https://github.com/login/oauth/access_token
				OAUTH2_TOKEN_URL:
					`${props.keycloakBaseUrl}/realms/${props.keycloakRealm}/protocol/openid-connect/token?` +
					tokenUrlPermissionSearchParams.toString(),
					...

I would expect my user with no permissions no to be able to log in; but it appears that this setup has no effect.

So excuse me if I posted this as a bug as it could be the expected behavior; but following this observation I have one questions:

Is the permission flow usable with PgAdmin SSO as it is now?

To Reproduce

Steps to reproduce the behavior: 1 - Set up SSO with Keycloak and permissions 2 - Try to login with a user with no permissions 3 - You'll be able to login.

Expected behavior

The server should respond with a login exception.

Error message No error as I am able to login.

Desktop (please complete the following information):

  • Version: [8.9]
  • Mode: [Server]
  • Package type: [Container (Docker)]

adussarps avatar Jul 25 '24 16:07 adussarps