[keycloak-user] API Authorization: on request or response?

Pedro Igor Silva psilva at redhat.com
Tue Nov 14 07:20:02 EST 2017 

The problem here is that you got an access token (that you are using as a
bearer to access Protection API) using resource owner password grant type
(direct grant). That means the subject of the token is an user (username)
and not the resource server itself.

Only resource servers (your client application) are allowed to access the
Protection API (and managed resources).

The access token you got is valid to query for permissions though. As you
want to obtain a set of permission an user has. Where the token represents
user identity.

You should fix that error by obtaining a access token for your client.
Something like that (from docs):

curl -X POST \
    -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'grant_type=client_credentials' \
    "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"


On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Thanks for the documentation, after reading it I found that I can use
> "entitlement" endpoints for my use case.
> So I do:
>
> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
> -d 'username=username&password=password&grant_type=password&
> client_id=myclient&client_secret=myclientsecret' "
> http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token"
> | jq .access_token -r`
>
> curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
> $TOKEN" -d '{
>     "permissions" : [
>         {
>             "resource_set_name" : "Houses",
>             "scopes" : [
>                 "view"
>             ]
>         }
>     ]
> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement/myclient"
>
> Is this correct? It seems to be working.
> I am not sure how can I get/create resources via the API.
> I tried:
>
> curl "http://localhost:8080/auth/realms/myrealm/authz/
> protection/resource_set" -H "Authorization: Bearer $TOKEN"
> But I get:
> {"error":"invalid_clientId","error_description":"Client application with
> id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm
> [myrealm]"}
>
>
>
> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi again,
>> I looked everywhere but I couldn't find an Evaluation API for
>> javascript...
>> In my nodeJS server, should I call UMA API endpoints?
>>
>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> It seems you are looking for fine-grained permissions. Could you take a
>>> look at this example [1] and documentation [2] ?
>>>
>>> One of the things shown by that example is how to protect resources
>>> based on its owner.
>>>
>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>> s/authz/photoz
>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>> es/index.html
>>>
>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> another small question :)
>>>>
>>>> Suppose you have an API looking like this:
>>>> http://www.example.com/api/v1/cars
>>>>
>>>> Cars have an owner:
>>>> {
>>>>   name: "my car"
>>>>   owner: "smith"
>>>> }
>>>>
>>>> How to make sure that you can only get cars that are yours (you can have
>>>> several cars)?
>>>> If you make a simple GET on this endpoint, should I:
>>>> 1. just reply with a "Access denied" because the request is too large:
>>>> it
>>>> could yield cars that are not yours,
>>>> 2. reply with "Access denied" if the response list contains some cars
>>>> that
>>>> are not yours,
>>>> 3. filter the response car list with only yours?
>>>>
>>>> It seems that 1. is the simplest because it uses only the request to
>>>> make
>>>> decisions.
>>>> 2. uses the response to make decision, while 3. requires the
>>>> collaboration
>>>> of the response handler in my API server, in order to implement the
>>>> filtering.
>>>> What is the most standard way?
>>>>
>>>> I have also some trouble understanding how to implement that with
>>>> Keycloak
>>>> protect in NodeJS.
>>>> Cheers!!
>>>> Corentin
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

More information about the keycloak-user mailing list