You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the POST endpoint for creating a tenant doesn't have specific restrictions. This setup could potentially allow any user with API access to create new tenants.
Suggested Enhancement:
I propose implementing a role-based access control for the tenant creation endpoint. This would align with how Keycloak handles API management in general. In my current setup, I issue API tokens to my customers by creating a Keycloak client with a service account, using a predefined Keycloak client (named api-cli). This client is not allowed to interact with the Keycloak API unless I assign a service account role of realm-management - manage-clients.
Proposed Implementation:
For the tenancy API, I suggest a similar approach where a service account role (e.g., realm-management - manage-tenants) is required to manage tenant creation. This role would only be assigned to my predefined api-cli client. By doing so, it ensures that API tokens held by my customers cannot create tenants unless I explicitly add this role to their service account, which I intend not to do. In my application, creating a new tenant is a paid feature, and this change would add an extra layer of control and security.
Additional Consideration:
This suggestion needs some careful thought, especially in relation to the feature where users are forced to create a tenant if not a member of one. I have this feature disabled in my application, but the proposed enhancement should ideally be compatible with both scenarios.
Thank you for considering this enhancement. I believe it would be a valuable addition to the API.
The text was updated successfully, but these errors were encountered:
Currently, the POST endpoint for creating a tenant doesn't have specific restrictions. This setup could potentially allow any user with API access to create new tenants.
Suggested Enhancement:
I propose implementing a role-based access control for the tenant creation endpoint. This would align with how Keycloak handles API management in general. In my current setup, I issue API tokens to my customers by creating a Keycloak client with a service account, using a predefined Keycloak client (named api-cli). This client is not allowed to interact with the Keycloak API unless I assign a service account role of
realm-management - manage-clients
.Proposed Implementation:
For the tenancy API, I suggest a similar approach where a service account role (e.g.,
realm-management - manage-tenants
) is required to manage tenant creation. This role would only be assigned to my predefined api-cli client. By doing so, it ensures that API tokens held by my customers cannot create tenants unless I explicitly add this role to their service account, which I intend not to do. In my application, creating a new tenant is a paid feature, and this change would add an extra layer of control and security.Additional Consideration:
This suggestion needs some careful thought, especially in relation to the feature where users are forced to create a tenant if not a member of one. I have this feature disabled in my application, but the proposed enhancement should ideally be compatible with both scenarios.
Thank you for considering this enhancement. I believe it would be a valuable addition to the API.
The text was updated successfully, but these errors were encountered: