Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support associating a serviceAccount user with a particular group #33

Open
lmsurpre opened this issue Jan 11, 2022 · 1 comment
Open

Support associating a serviceAccount user with a particular group #33

lmsurpre opened this issue Jan 11, 2022 · 1 comment

Comments

@lmsurpre
Copy link
Collaborator

Since the IBM FHIR Server defaults to using the group claim when mapping to security-role, requests from a serviceAccount (like in the newly introduced SMART Backend Services config) must belong to a group in order to be consider authorized.

Tasks for making this easier to implement

  1. support configuration of group membership for service accounts
  2. update the smart-backend-services sample config to ensure the infernoBulk client's service account (service-account-infernoBulk) is associated with the fhirUser group

Here's what those steps look like from the UI:
image

keycloak console
@lmsurpre
Copy link
Collaborator Author

for "normal" users, keycloak supports the notion of a "default group" and we use that to ensure all users will get the group membership by default. what would be nice is if there were a similar concept for service account users...otherwise we're stuck either:
A. registering all clients via keycloak-config; or
B. documenting how to manually add the service accounts to the fhirUser group

@lmsurpre lmsurpre mentioned this issue May 3, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lmsurpre