Hi!
I’m logging into Squidex with Keycloack and work fine, but now I need to give to the user admin privileges. How can I do that in Keycloack? With roles, with authorization …?
Thanks.
You have to add permissions as urn:squidex:permissions client.
Here is a list of all permissions: https://github.com/Squidex/squidex/blob/master/src/Squidex.Shared/Permissions.cs
Hi Sebastian!
First of all thanks for your answer, but can you be more specific.
Can you give me more info?
I have this configuration:
Do you refer on resources tab?
No, you have to go to your user and then to claims.
You always have to login and logout again and you have to tell keycloak to return this claim (or claim type) for your client.
We can have a skype session today 8pm (german time) or Monday.
I did login and logout, I restarted the squidex and keycloak, and I had the same result.
I am not an expert. But I think you have to create:
- A scope
permission - A mapping for this scope to return the
urn:squidex:permissionsclaims. - Request the permission scope when you create a token manually.
After do the configurations I havethis token from Keycloak:
{
“jti”:“2c919742-f918-41f5-b44e-641cef1d125a”,
“exp”:1567168851,
“nbf”:0,
“iat”:1567168551,
“iss”:“http://auth.ubi.local/auth/realms/dan”,
“aud”:“account”,
“sub”:“dd701a20-a71d-41b7-b213-7845dfc88ee1”,
“typ”:“Bearer”,
“azp”:“angular”,
“auth_time”:0,
“session_state”:“99e28890-a975-490b-a916-5185a4f5ff71”,
“acr”:“1”,
“allowed-origins”:[
“http://data.ubi.local”
],
“realm_access”:{
“roles”:[
“offline_access”,
“uma_authorization”
]
},
“resource_access”:{
“account”:{
“roles”:[
“manage-account”,
“manage-account-links”,
“view-profile”
]
}
},
“scope”:“openid permission profile email”,
“urn:squidex:permissions”:“squidex.admin.*”,
“email_verified”:true,
“name”:“NAME”,
“preferred_username”:“USERNAME”,
“given_name”:“NAME”,
“email”:“EMAIL”
}
After login on Squidex I have this token:
{
“nbf”: 1567163445,
“exp”: 1567167045,
“iss”: “http://data.ubi.local/identity-server”,
“aud”: [
“http://data.ubi.local/identity-server/resources”,
“squidex-api”
],
“client_id”: “squidex-frontend”,
“sub”: “5d668fe3109bff00012f6341”,
“auth_time”: 1567163445,
“idp”: “ExternalOidc”,
“email”: “EMAIL”,
“scope”: [
“openid”,
“profile”,
“email”,
“squidex-profile”,
“role”,
“permissions”,
“squidex-api”
],
“amr”: [
“external”
]
}
Weird thing don’t you think?
Sorry, I think I made a big mistake.
Keycloak is just like another third party authentication provide like Google or Github. So there are actual 2 identity servers. Keycloak and the integrated identity server.
The permissions itself are usually handled in Squidex. (can you check the database?) The first admin should get the admin permissions. I am not sure if you can give the permissions in keycloak. If it is needed I can have a look but I am not sure when I have time for that.
I gave permission directly to user on Squidex, and work fine.
I did another test: I created a new user with the permission on Keycloak and then when I did the first login the info passed to Squidex.
But what I want is: be able to manage permissions on Keycloak and sync with Squidex.
As far I can realise with our conversation, actually it’s not possible, but its something that you think is feasible to add on roadmap?
it is feasible and probably a 30min task. I will have a look.
EDIT: I am probably wrong. The problem is that the user is generated in Squidex the first time you login with keycloak. I could transfer the claims then, but the next time the user logs in there would be no claims transfer.
This is probably a silly question, but is there any reason not to update the claims on every login?
It is just not implemented like that yet. The idea was / is to keep Authentication in Squidex itself.