-
Epic
-
Resolution: Done
-
Critical
-
None
-
None
Description
There is a need for Customer Service to view OTP status of the users. This is done through the Admin Console. Currently "manage-users" permission is necessary to view the "credentials" tab. This is enforced in both Java code and in the templates. We are proposing that a read-only version of the "credentials" tab under "user management" displays for the users that have "view-users" permission.
Motivation
Customer Service cannot analyze the customers' OTP setup and other authentication setup related problems without "manage-users" permission. Manage-users privilege is a powerful one and it is not normally given to Customer Service representatives. This results in such problems quickly escalating to CIAM developers and it is slowing down customer issue resolution.
Details
Is it possible to have "requireManageOrView" method in UserPermissions and not transmit secrets if the user only has view permissions?
In //keycloak/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java we have:
@GET @Path("credentials") @NoCache @Produces(MediaType.APPLICATION_JSON) public Stream<CredentialRepresentation> credentials(){ auth.users().requireManage(user); return user.credentialManager().getStoredCredentialsStream() .map(ModelToRepresentation::toRepresentation) .peek(credentialRepresentation -> credentialRepresentation.setSecretData(null)); }
This is also enforced at the UI templates:/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-user.html
<li ng-class="
{active: path[4] == 'user-credentials'}" data-ng-show="user.access.manage"><a href="#/realms/realm.realm/users/user.id/user-credentials">:: 'credentials' | translate</a></li>
We would also need to make sure that the form in /themes/src/main/resources/theme/base/admin/resources/partials/user-credentials.html is read only.
- links to