mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-04-25 16:39:42 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat(FGAPv2): introduce RESET_PASSWORD scope and evaluation

Browse Source 
- Add RESET_PASSWORD to AdminPermissionsSchema.USERS
- Require RESET_PASSWORD in UserResource.resetPassword()
- Expose canResetPassword()/requireResetPassword()
- Implement FGAP v2 deny-overrides + secure-by-default + optional fallback
- Include access.resetPassword for Admin Console

Closes #41901

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Bagautdino <336373@edu.itmo.ru>
This commit is contained in:
Bagautdino
2025-08-15 11:53:02 +03:00
committed by Pedro Igor
parent 28d3b2dd29
commit d225bce21f
16 changed files with 199 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/documentation/server_admin/topics/admin-console-permissions/fine-grain-v2.adoc
+2
View File
@@ -68,6 +68,8 @@ set of scopes:
| *manage-group-membership* | Defines if a realm administrator can assign or unassign users to/from groups. | None
| *map-roles* | Defines if a realm administrator can assign or unassign roles to/from users. | None
| *impersonate* | Defines if a realm administrator can impersonate other users. | `impersonate-members`
| *reset-password* | Defines if a realm administrator can reset user passwords. By default, this scope falls | None
back to `manage` scope behavior (configurable via `fgap.v2.resetPassword.fallbackToManageUsers`).
|===
The user resource type has a strong relationship with some of the permissions you can set to groups. Most of the time,
docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc
+16 -1
View File
@@ -4,7 +4,22 @@
Breaking changes are identified as requiring changes from existing users to their configurations.
In minor or patch releases we will only do breaking changes to fix bugs.
=== <TODO>
=== Fine-grained admin permissions: RESET_PASSWORD scope for Users
A new `reset-password` scope has been added to the Users resource type in Fine-Grained Admin Permissions v2. This scope allows administrators to grant password reset permissions independently from the broader `manage` scope.
By default, the behavior remains compatible with previous versions through the `fallbackToManageUsers` configuration option, which is set to `true` by default. When this fallback is enabled, password reset permissions will use the existing `manage` scope behavior.
To enable the new granular password reset permissions, set the configuration option:
[source]
----
fgap.v2.resetPassword.fallbackToManageUsers=false
----
When the fallback is disabled, only explicit `reset-password` scope permissions will allow password reset operations, providing more fine-grained control over administrative access.
For more information about fine-grained admin permissions, see the link:{adminguide_finegrained_link}[{adminguide_finegrained_name}] chapter in the {adminguide_name}.
// ------------------------ Notable changes ------------------------ //
== Notable changes