[keycloak-user] API Authorization: on request or response?

Matthew Helmke mhelmke at redhat.com
Tue Nov 14 08:23:59 EST 2017 

Pedro, I'm happy to help with docs changes, if you would like assistance.

On Tue, Nov 14, 2017 at 6:44 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Btw. I should probably change documentation to reflect this. Thanks for the
> feedback.
>
> On Tue, Nov 14, 2017 at 10:44 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
> > Try this:
> >
> > curl -X POST \
> >     -H "Content-Type: application/x-www-form-urlencoded" \
> >     -d 'grant_type=client_credentials&client_id=myclient&client_secret=
> > myclientsecret'
> >     "http://localhost:8080/auth/realms/${realm_name}/protocol/
> > openid-connect/token"
> >
> > Without BASIC but credentials as form parameters.
> >
> > On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
> > corentin.dupont at gmail.com> wrote:
> >
> >> Thanks, actually I saw it but I didn't understand where this bit came
> >> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
> >>
> >> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
> >> wrote:
> >>
> >>> The problem here is that you got an access token (that you are using as
> >>> a bearer to access Protection API) using resource owner password grant
> type
> >>> (direct grant). That means the subject of the token is an user
> (username)
> >>> and not the resource server itself.
> >>>
> >>> Only resource servers (your client application) are allowed to access
> >>> the Protection API (and managed resources).
> >>>
> >>> The access token you got is valid to query for permissions though. As
> >>> you want to obtain a set of permission an user has. Where the token
> >>> represents user identity.
> >>>
> >>> You should fix that error by obtaining a access token for your client.
> >>> Something like that (from docs):
> >>>
> >>> curl -X POST \
> >>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA=="
> \
> >>>     -H "Content-Type: application/x-www-form-urlencoded" \
> >>>     -d 'grant_type=client_credentials' \
> >>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/
> openid-connect/token"
> >>>
> >>>
> >>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
> >>> corentin.dupont at gmail.com> wrote:
> >>>
> >>>> Thanks for the documentation, after reading it I found that I can use
> >>>> "entitlement" endpoints for my use case.
> >>>> So I do:
> >>>>
> >>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-
> urlencoded"
> >>>> -d 'username=username&password=password&grant_type=password&cli
> >>>> ent_id=myclient&client_secret=myclientsecret' "
> >>>> http://localhost:8080/auth/realms/myrealm/protocol/
> openid-connect/token"
> >>>> | jq .access_token -r`
> >>>>
> >>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
> >>>> Bearer $TOKEN" -d '{
> >>>>     "permissions" : [
> >>>>         {
> >>>>             "resource_set_name" : "Houses",
> >>>>             "scopes" : [
> >>>>                 "view"
> >>>>             ]
> >>>>         }
> >>>>     ]
> >>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
> >>>> /myclient"
> >>>>
> >>>> Is this correct? It seems to be working.
> >>>> I am not sure how can I get/create resources via the API.
> >>>> I tried:
> >>>>
> >>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
> >>>> resource_set" -H "Authorization: Bearer $TOKEN"
> >>>> But I get:
> >>>> {"error":"invalid_clientId","error_description":"Client application
> >>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in
> realm
> >>>> [myrealm]"}
> >>>>
> >>>>
> >>>>
> >>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
> >>>> corentin.dupont at gmail.com> wrote:
> >>>>
> >>>>> Hi again,
> >>>>> I looked everywhere but I couldn't find an Evaluation API for
> >>>>> javascript...
> >>>>> In my nodeJS server, should I call UMA API endpoints?
> >>>>>
> >>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
> psilva at redhat.com>
> >>>>> wrote:
> >>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> It seems you are looking for fine-grained permissions. Could you
> take
> >>>>>> a look at this example [1] and documentation [2] ?
> >>>>>>
> >>>>>> One of the things shown by that example is how to protect resources
> >>>>>> based on its owner.
> >>>>>>
> >>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
> >>>>>> s/authz/photoz
> >>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
> >>>>>> es/index.html
> >>>>>>
> >>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
> >>>>>> corentin.dupont at gmail.com> wrote:
> >>>>>>
> >>>>>>> Hi guys,
> >>>>>>> another small question :)
> >>>>>>>
> >>>>>>> Suppose you have an API looking like this:
> >>>>>>> http://www.example.com/api/v1/cars
> >>>>>>>
> >>>>>>> Cars have an owner:
> >>>>>>> {
> >>>>>>>   name: "my car"
> >>>>>>>   owner: "smith"
> >>>>>>> }
> >>>>>>>
> >>>>>>> How to make sure that you can only get cars that are yours (you can
> >>>>>>> have
> >>>>>>> several cars)?
> >>>>>>> If you make a simple GET on this endpoint, should I:
> >>>>>>> 1. just reply with a "Access denied" because the request is too
> >>>>>>> large: it
> >>>>>>> could yield cars that are not yours,
> >>>>>>> 2. reply with "Access denied" if the response list contains some
> >>>>>>> cars that
> >>>>>>> are not yours,
> >>>>>>> 3. filter the response car list with only yours?
> >>>>>>>
> >>>>>>> It seems that 1. is the simplest because it uses only the request
> to
> >>>>>>> make
> >>>>>>> decisions.
> >>>>>>> 2. uses the response to make decision, while 3. requires the
> >>>>>>> collaboration
> >>>>>>> of the response handler in my API server, in order to implement the
> >>>>>>> filtering.
> >>>>>>> What is the most standard way?
> >>>>>>>
> >>>>>>> I have also some trouble understanding how to implement that with
> >>>>>>> Keycloak
> >>>>>>> protect in NodeJS.
> >>>>>>> Cheers!!
> >>>>>>> Corentin
> >>>>>>> _______________________________________________
> >>>>>>> keycloak-user mailing list
> >>>>>>> keycloak-user at lists.jboss.org
> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

matthew helmke

technical writer, product documentation

CUSTOMER content services

mhelmke at redhat.com  T: +1-319-333-9638  irc:: mhelmke
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>

More information about the keycloak-user mailing list