4

I defined a client in keycloak admin console to authorize it with client_credentials flow to call server-to-server api in my application. Everything is fine, i want to apply IP restriction for that client.

Where can i define this restriction in admin console? i didn't find such configuration in keycloak documentation.

Rasool Ghafari
  • 4,128
  • 7
  • 44
  • 71

1 Answers1

6

There is no such settings out of the box, but you could try to implement custom client authenticator. So for example allowed IP Addr could be stored in client attributes, and your authenticator implementation will challenge incoming request against specified IP addr. See "Server Development" section in Keycloak documentation. Also you can refer to keycloak github repo for implementation examples and guides. Start from

https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/client/ClientIdAndSecretAuthenticator.java

solveMe
  • 1,866
  • 1
  • 18
  • 20
  • 3
    Nice suggestion, though I strongly believe that IP Filtering should happen in the (reverse) proxy, WAF or security gateway. – bsaverino Jul 19 '20 at 16:24
  • @solveMe Thanks for you solution. Now i have another question, where and how should i set attributes for clients? i didn't find it in admin console and it's documentation. – Rasool Ghafari Jul 20 '20 at 06:37
  • 1
    @RasoolGhafari In admin console there is no UI for setting client attribuites, but if you dump client you can see that dump contains 'attributes' field, so you could try to use admin api for settings attribute value (i know, i know that it is not very convenient). Honestly i don't know whether this fields for internal usage or not. If so you could also consider to extend keycloak DB schema with custom IP settings entity (see howto in documentation). – solveMe Jul 20 '20 at 07:55
  • because of @bsaverino suggestion, i checked zuul, but have this problem, could help me? https://stackoverflow.com/questions/62991711/spring-cloud-zuul-does-not-load-static-resources-from-spring-boot-applications – Rasool Ghafari Jul 20 '20 at 08:49
  • Zuul also could be a solution, but i'm also a newbie in spring-netflix environment – solveMe Jul 20 '20 at 10:24
  • Same .. can't help with Zuul. Note that if you are prototyping you may have better chances with more popular tools like `nginx`. I don't say that Zuul isn't a good choice but as you are experimenting already with one (or more) technology it may be worth to keep most of the rest under control :) Eventually `Keycloak Gatekeeper` (or `Louketo Proxy`) may be more convenient to start with as it has a strong relationship with Keycloak. – bsaverino Jul 20 '20 at 18:06