This project provides a Keycloak browser authenticator that enforces an impersonation policy restricting impersonators from accessing service providers (clients) unless holding an associated client role.

Copy keycloak-impersionation-policy-enforcer-«version».ear to ${KEYCLOAK_HOME}/deployments.

1. Create an authentication flow as follows (or equivalent):

   auth type		requirement
   Impersonation Policy Enforcer		◯ REQUIRED	● ALTERNATE	◯ DISABLED
   Identity Provider Redirector		◯ REQUIRED	● ALTERNATE	◯ DISABLED
   Forms		◯ REQUIRED	● ALTERNATE	◯ DISABLED	◯ CONDITIONAL
   	Username Password Form	● REQUIRED

2. Apply it to a client.

3. Create a client role that is composed with the realm-management-impersonation role.

The Impersonation Policy Enforcer authenticator replaces the Cookie authenticator provided by Keycloak. It checks whether the user is being impersonated and, if so, whether the impersonator has any client role that is composed with the realm-management.impersonation role. If both conditions are met, the impersonator is granted access to the client.

Without the client role, the impersonator is denied access to the client.

If the user is not being impersonated, then grant or deny access just as the Cookie authenticator would.

This project follows the module/bundle approach to packaging keycloak extensions:

• module builds the jar that contains the keycloak extensions

• bundle builds the ear that contains the jar from module and any jars that are not designated as provided dependencies

This project uses:

• checkstyle to achieve compliance with the Google Java Style Guide. Please add the checkstyle plugin to your IDE.

• SonarLint to improve code quality and code security. Please add the SonarLint plugin to your IDE.

Copyright 2021 Luca Filipozzi. Some rights reserved. See LICENSE.