Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-15296

account-console client doesn't have all scopes of account client

    Details

    • Sprint:
      Keycloak Sprint 45
    • Story Points:
      5
    • Security Sensitive Issue:
      This issue is security relevant
    • Steps to Reproduce:
      Hide
      1. Create a user with just "view-profile" account client role (not "manage-account" role).
      2. Login as this user to Account Console.
      3. Navigate to "Personal Info".
        Expected: User is able to view (but not edit) personal info.
        Actual: Error message is displayed.
      Show
      Create a user with just "view-profile" account client role (not "manage-account" role). Login as this user to Account Console. Navigate to "Personal Info". Expected: User is able to view (but not edit) personal info. Actual: Error message is displayed.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      The "account-console" client (which is used by the new Account Console) has a wrong scope. It includes only "manage-account" from the "account" client (which is used by the REST API) which is not enough. This is because "manage-account" is misconfigured and doesn't include all account roles as composites, e.g. "view-profile" is missing.

      This leads to significantly limited options for managing user access to the Account Console, e.g. it's not possible to limit the user to just view their profile.

      Proposed solutions

      The preferred solution would be to include all roles as composites under "manage-account". But we'd need to consider possible backward compatibility issues.

      Another solution is to update the scope of "account-console" client to list all roles from "account" client.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  sebastian.laskawiec Sebastian Laskawiec
                  Reporter:
                  vmuzikar Václav Muzikář
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: