Selfhosted

60114 readers

1118 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam.
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
Submission headline should match the article title.
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

curbstickle@anarchist.nexus

curbstickle_lw@lemmy.world

Keycloak - restrict access to certain applications (feddit.de)

submitted 2 years ago by hypertext@feddit.de to c/selfhosted@lemmy.world

4 comments fedilink hide all child comments

Hi, I have successfully set up Keycloak and use it for a few of the applications that I'm running (unfortunately not every app supports oauth2/oidc yet).

However there's one issue I haven't been able to resolve yet: I want to restrict access to certain applications (like portainer) to specific users (me).

I've already tried going to the portainer client > Authorization, added a role based policy and added the policy to the default permission, but other users that don't have this role can still log in. If I go to "Evaluate" it gives me the expected correct result for the different users

top 4 comments

sorted by: hot top controversial new old

[–] marcos@lemmy.world 2 points 2 years ago

Keycloak claims to handle authorization, but the part that it handles goes only up to enumerating what accesses you have.

Checking those accesses and allowing or restricting the usage is up to your system.

[–] trial_and_err@lemmy.world 1 points 2 years ago* (last edited 2 years ago)

I’m no expert, but Keycloak is just doing authentication (does the user have a valid account?) for you. For authorisation (is the authenticated user allowed to access the site?) you could put Pomerium in front of your apps and authorise based on user groups for different paths.

Not sure about portainer though, that might be a bug?

[–] GameGod@lemmy.ca 1 points 2 years ago

I have no experience with portainer, but some apps have an option to disable new user registration, and that's what I would recommend first. (I do use Keycloak myself too)

[–] woulduno@lemmy.world 1 points 2 years ago

I use specific groups within KeyCloak to define what applications I want a user to see. However, I am using Cloudflare Zero Trust and passing the group claim.