I am running
CodiMD v2.4.1 (only just discovered HedgeDoc today, so I’ll need to upgrade my deployments to HedgeDoc eventually), but that is probably not relevant to my question.
I am using Keycloak as the identity provider for which I have a client app registered using the following configuration (Kubernetes deployment):
- name: CMD_OAUTH2_PROVIDERNAME value: "Keycloak" - name: CMD_OAUTH2_BASEURL value: "https://keycloak.example.com/auth/realms/my-realm/protocol/openid-connect" - name: CMD_OAUTH2_USER_PROFILE_URL value: "https://keycloak.example.com/auth/realms/my-realm/protocol/openid-connect/userinfo" - name: CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR value: "sub" - name: CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR value: "name" - name: CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR value: "email" - name: CMD_OAUTH2_TOKEN_URL value: "https://keycloak.example.com/auth/realms/my-realm/protocol/openid-connect/token" - name: CMD_OAUTH2_AUTHORIZATION_URL value: "https://keycloak.example.com/auth/realms/my-realm/protocol/openid-connect/auth" - name: CMD_OAUTH2_CLIENT_ID valueFrom: secretKeyRef: name: codimd-keycloak key: clientId - name: CMD_OAUTH2_CLIENT_SECRET valueFrom: secretKeyRef: name: codimd-keycloak key: clientSecret
The authentication works well, in the sense that I see a “Log in with Keycloak” button and it creates a new user upon completing the authentication flow.
However, what I want is to only allow people with a certain Keycloak role to be able to log in. I found this Stack Overflow answer than claims to accomplish this, but it is failing for me.
My question to this community is this: is there any kind of authorization configuration in HedgeDoc itself that can be used to deny access to authenticated users based on some information (such as OAuth2 scopes
profile, etc) provided by the OAuth2 identity provider (Keycloak in this example)?