I’m using Graylog as part of a project with single-sign on server (Keycloak). OIDC authentication works fine but I can’t find a way to restrict users authenticated with Keycloak from accessing Graylog.
OIDC authentication service configuration requires default roles field to have at least one role, if you set no roles there the field gives “Field is required” error on save. So, any user authenticated in Keycloak for different app can access Graylog in some role.
Is there a way to restrict OIDC authenticated users from accessing Graylog?
For example, the way it works in Grafana is you can configure it to reject users without specified role. An authenticated user without set role would get a login error “IdP did not return a role attribute, please contact your administrator”.
Although not 100% I don’t think this is possible within Graylog currently, is there no way to restrict user access to an application from the Keycloak side or would that involve having a realm dedicated to a single app?
I’m looking for a way to make Keycloak reject authentication under two conditions: client is Graylog, and user has no Graylog roles. It should be doable.
I’m new to Keycloak, so it takes time. I’ll make another reply when I get somewhere.
It looks like out-of-the-box Keycloak doesn’t have a clean solution for this scenario. Fortunately, there is a great keycloak-restrict-client-auth plugin that provides an elegant way to solve this use case.
The plugin allows Keycloak to deny authentication for a user if restricted-access client role exists, and the user doesn’t have the restricted-access client role. So, in order to restrict user from accessing Graylog using Keycloak authentication, you need to install the plugin, configure authentication flow, and add restricted-access client role to Graylog client. Follow documentation of the plugin to make it work.
Even though you can make Keycloak deny users without specific Graylog role, this isn’t an ideal solution. It’s preferable to have the client app checking if user has necessary role, hopefully Graylog will be able to deny users with no roles in near future.
