Keycloak claims to handle authorization, but the part that it handles goes only up to enumerating what accesses you have.
Checking those accesses and allowing or restricting the usage is up to your system.
this post was submitted on 19 Aug 2023
21 points (95.7% liked)
Selfhosted
39159 readers
385 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
I’m no expert, but Keycloak is just doing authentication (does the user have a valid account?) for you. For authorisation (is the authenticated user allowed to access the site?) you could put Pomerium in front of your apps and authorise based on user groups for different paths.
Not sure about portainer though, that might be a bug?
I have no experience with portainer, but some apps have an option to disable new user registration, and that's what I would recommend first. (I do use Keycloak myself too)
I use specific groups within KeyCloak to define what applications I want a user to see. However, I am using Cloudflare Zero Trust and passing the group claim.