Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-2448

Ability for users to view credentials without manage user permissions

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Critical Critical
    • RH-SSO-7.6.3
    • None
    • Server
    • None

      Description
      There is a need for Customer Service to view OTP status of the users. This is done through the Admin Console. Currently "manage-users" permission is necessary to view the "credentials" tab. This is enforced in both Java code and in the templates. We are proposing that a read-only version of the "credentials" tab under "user management" displays for the users that have "view-users" permission.

      Motivation
      Customer Service cannot analyze the customers' OTP setup and other authentication setup related problems without "manage-users" permission. Manage-users privilege is a powerful one and it is not normally given to Customer Service representatives. This results in such problems quickly escalating to CIAM developers and it is slowing down customer issue resolution.

      Details
      Is it possible to have "requireManageOrView" method in UserPermissions and not transmit secrets if the user only has view permissions?

      In //keycloak/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java we have:

      @GET
          @Path("credentials")
          @NoCache
          @Produces(MediaType.APPLICATION_JSON)
         public Stream<CredentialRepresentation> credentials(){
              auth.users().requireManage(user);
              return user.credentialManager().getStoredCredentialsStream()
                      .map(ModelToRepresentation::toRepresentation)
                      .peek(credentialRepresentation -> credentialRepresentation.setSecretData(null));
          }
      
      

      This is also enforced at the UI templates:/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-user.html

      <li ng-class="

      {active: path[4] == 'user-credentials'}

      " data-ng-show="user.access.manage"><a href="#/realms/realm.realm/users/user.id/user-credentials">:: 'credentials' | translate</a></li>
      We would also need to make sure that the form in /themes/src/main/resources/theme/base/admin/resources/partials/user-credentials.html is read only.

              pskopek@redhat.com Peter Skopek
              pskopek@redhat.com Peter Skopek
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: