Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-9177

Accessing realm admin console in 4.7.0 requires view-realm role

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • 4.7.0.Final
    • None
    • Admin - Console
    • None
    • Hide
      1. Create an admin user and give it the 'manage-users', 'query-groups', 'query-users', and 'view-users' realm-management roles
      2. Try to access the admin console with this user
      3. Actual: Observe that a 403 forbidden error occurred
      4. Expected: Users see the "Manage > Groups" and "Manage > Users" tabs
      Show
      Create an admin user and give it the 'manage-users', 'query-groups', 'query-users', and 'view-users' realm-management roles Try to access the admin console with this user Actual: Observe that a 403 forbidden error occurred Expected: Users see the "Manage > Groups" and "Manage > Users" tabs
    • NEW
    • NEW

    Description

      We've recently upgraded from 4.5.0 to 4.7.0 and users can no longer access the dedicated realm admin console (/auth/admin/{realm}/console) with the same realm-management roles that they had previously. Our admin users should only be able to manage users and groups so that only the "Manage > Groups" and "Manage > Users" tab show up in the realm admin console. Previously in 4.5.0 they had the 'manage-users', 'query-groups', 'query-users', and 'view-users' roles in order to make this happen.

      However, with the new upgrade in 4.7.0, admins are now seeing a 403 forbidden error when trying to access the admin console. We found that by adding the 'view-realm' role, users are then able to access the admin console but this enables too many permissions for the admin users that we do not wish to enable such as configuring the Realm Settings, Roles, User Federation, and Authentication.

      Looking at past issues in this Jira, perhaps this is a similar problem that is now broken again? https://issues.jboss.org/browse/KEYCLOAK-4328

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. KEYCLOAK-9489 User not able to log in to admin console when using query-* roles

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. KEYCLOAK-9676 Cannot login to Admin Console with just manage-* role

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              mandyfung Mandy Fung (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: