This project provides a Keycloak browser authenticator that enforces an impersonation policy restricting impersonators from accessing service providers (clients) unless holding an associated client role.
Copy keycloak-impersionation-policy-enforcer-«version».ear to ${KEYCLOAK_HOME}/deployments.
-
Create an authentication flow as follows (or equivalent):
auth type requirement Impersonation Policy Enforcer ◯ REQUIRED ● ALTERNATE ◯ DISABLED Identity Provider Redirector ◯ REQUIRED ● ALTERNATE ◯ DISABLED Forms ◯ REQUIRED ● ALTERNATE ◯ DISABLED ◯ CONDITIONAL Username Password Form ● REQUIRED -
Apply it to a client.
-
Create a client role that is composed with the
realm-management-impersonationrole.
The Impersonation Policy Enforcer authenticator replaces the Cookie authenticator provided by
Keycloak. It checks whether the user is being impersonated and, if so, whether the impersonator has
any client role that is composed with the realm-management.impersonation role. If both conditions
are met, the impersonator is granted access to the client.
Without the client role, the impersonator is denied access to the client.
If the user is not being impersonated, then grant or deny access just as the Cookie authenticator would.
This project follows the module/bundle approach to packaging keycloak extensions:
-
modulebuilds the jar that contains the keycloak extensions -
bundlebuilds the ear that contains the jar frommoduleand any jars that are not designated asprovideddependencies
This project uses:
-
checkstyle to achieve compliance with the Google Java Style Guide. Please add the checkstyle plugin to your IDE.
-
SonarLint to improve code quality and code security. Please add the SonarLint plugin to your IDE.
Copyright 2021 Luca Filipozzi. Some rights reserved. See LICENSE.