Verify requirements/assumptions #23

Open
opened 2026-07-11 09:46:36 +02:00 by stb · 2 comments
Owner

I'm really confused about how this works, so to help clear up any confusion, here is what I think we need:

  • Members can fill in attributes based on group membership:
    • If member of intern, two SSH keys for Dooris
    • If member of intern, one email address to use to subscribe to intern@lists.hamburg.ccc.de
    • If member of chaos, one email address to use to subscribe to chaos@lists.hamburg.ccc.de
    • Attributes should be visible only if the user is authorised
  • A Keycloak API client can authenticate using a service account, and can retrieve the contents of these attributes:
    • A list of all SSH keys
    • A list of all email addresses for each attribute
    • The values of attributes are only included if the user is authorized for this attribute
  • Practically, the API client should be able to request the contents of specific attributes, or the values of all attributes in an attribute group

None of that appears to be working right now.

I'm really confused about how this works, so to help clear up any confusion, here is what I think we need: * Members can fill in attributes based on group membership: * If member of intern, two SSH keys for Dooris * If member of intern, one email address to use to subscribe to intern@lists.hamburg.ccc.de * If member of chaos, one email address to use to subscribe to chaos@lists.hamburg.ccc.de * Attributes should be visible only if the user is authorised * A Keycloak API client can authenticate using a service account, and can retrieve the contents of these attributes: * A list of all SSH keys * A list of all email addresses for each attribute * The values of attributes are only included if the user is authorized for this attribute * Practically, the API client should be able to request the contents of specific attributes, or the values of all attributes in an attribute group None of that appears to be working right now.
Author
Owner

Of course, we want to split off the permission into more fine grained roles so we can give a user access to Dooris without them having to be a member of intern.

Of course, we want to split off the permission into more fine grained roles so we can give a user access to Dooris without them having to be a member of intern.
Member

Most of the things you expect is possible with this endpoint provider, just not exactly as you described.

We use the existing feature to add custom attribute fields (which can be grouped into attribute groups) to users. As far as I know, it's not possible to display a field depending on a user's role or group in the Keycloak UI.

With this provider, however, you can configure an authenticated endpoint to be used by an API client that fetches all attribute values in an attribute group from all users with a specific role.

You can configure each endpoint to use a specific role for matching the list of users and the role needed to use the endpoint.

Currently, you can only add an entire attribute group. However, we can implement an option to group the values for every field.

I will update the README.md, as some of the explanations are out of date since we restructured our code.

Most of the things you expect is possible with this endpoint provider, just not exactly as you described. We use the existing feature to add custom attribute fields (which can be grouped into `attribute groups`) to users. As far as I know, it's not possible to display a field depending on a user's role or group in the Keycloak UI. With this provider, however, you can configure an authenticated endpoint to be used by an API client that fetches all attribute `values` in an `attribute group` from all users with a specific `role`. You can configure each endpoint to use a specific role for matching the list of users and the role needed to use the endpoint. Currently, you can only add an entire attribute group. However, we can implement an option to group the values for every field. I will update the README.md, as some of the explanations are out of date since we restructured our code.
Sign in to join this conversation.
No labels
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
CCCHH/keycloak-attribute-endpoints-provider#23
No description provided.