Limit users access using the OpenID (keycloak)

[hudecof]

Hi,

I'm moving to the setup with proxmox and keycloak.
I'm fencing the problem, how to limit the access to the proxmox UI only for certain subset of users.
I have found several solution how to that including the modification of the browser flow or scopes, but non of them was working.

Does any one have a working solution?
My current version of PVE is latest 8.0.X version.

regards
Peter

 

[Folke]

Can't say that I tested it myself, but AFAIK keycloak supports OpenID Connect, which can be set up under Datacenter > Realms. After that, you should be able to log in with your provider. Alternatively, you could add an LDAP realm, which is a bit less complex. On login you have to select the realm that will be used to authenticate you.

 

[LnxBil]

I'm also interested in this, I have no solution, yet a remark: Every keycloak user has no rights in PVE unless you granted them any. You can also disable autocreation of users, so that every non-existent user should get an error.

 

[hudecof]

@Folke Gleumes I have already connected the PVE with KeyCloak using OpenID. At this moment every user is able to authentificate. As @LnxBil wrore, the initial user do not have any privileges.

To turn of the autocreation is one of the option, but not the best one.

I'm looking to solution where
a)
the PVE will reject the authorization based on some value. The OpenID Setup Form got 3 fields, which are not documented at all: Scopes, Prompt, ACR Values. Could be these values used to tweak the functionality I need? I found in some other thread, that these functionality are missing in 7.4 versoin.

b)
deny the authorization on the KeyCloak level, but this is maybe out of scope for this forum. My thouht was to use the Scope or ACR values for that, but I don't understand the OpenID protocol in that level

​

regrads
Peter