[keycloak-user] API Authorization: on request or response?

Pedro Igor Silva psilva at redhat.com
Tue Nov 14 15:43:58 EST 2017


In the first case you should get an error instead. Will check the second
case as in theory it should just ignore the scope.

On Tue, Nov 14, 2017 at 2:32 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> I spotted something strange:
> If I try with a non existing resource:
>
> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
> Bearer $TOKEN" -d '{
>     "permissions" : [
>         {
>             "resource_set_name" : "xxx",
>             "scopes" : [
>                 "view"
>             ]
>         }
>     ]
> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>
> It replies with 200:
> {"rpt":"eyJhbG...}
> Is this correct?
>
> If I try also with a non existent scope (yes I'm nitpicking):
>
> $ curl -X POST -H "Content-Type: application/json" -H "Authorization:
> Bearer $TOKEN" -d '{
>     "permissions" : [
>         {
>             "resource_set_name" : "xxx",
>             "scopes" : [
>                 "xxx"
>             ]
>         }
>     ]
> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>
>
> It replies with 500: Internal Server Error
>
> On Tue, Nov 14, 2017 at 2:13 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> This works great, thanks.
>>
>> TOKEN=`curl -X POST \
>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>> ret=myclientsecret'
>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>> enid-connect/token" | jq .access_token -r`
>>
>> Then I do:
>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>> resource_set" -H "Authorization: Bearer $TOKEN"
>> ["037f5d3e-8f25-4af1-93a0-4e17455d0614"]
>> $ curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>> resource_set/037f5d3e-8f25-4af1-93a0-4e17455d0614" -H "Authorization:
>> Bearer $TOKEN"
>> {
>> "name": "Sensors",
>> "uri": "/sensors/*",
>> "type": "http://localhost:3000/sensors",
>> "scopes": [
>> {
>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>> "name": "view"
>> },
>> {
>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>> "name": "manage"
>> }
>> ],
>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447",
>> "_id": "037f5d3e-8f25-4af1-93a0-4e17455d0614",
>> "id": "037f5d3e-8f25-4af1-93a0-4e17455d0614"
>> }
>>
>> Next I tried to POST a new resource:
>> curl -X POST "http://localhost:8080/auth/realms/waziup/authz/protection/
>> resource_set" -H "Content-Type: application/json" -H "Authorization:
>> Bearer $TOKEN" -d '{
>> "name": "My house",
>> "uri": "/houses/123",
>> "scopes": [
>> {
>> "id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
>> "name": "view"
>> },
>> {
>> "id": "2615157c-f588-4e2b-ba1c-720fe8394215",
>> "name": "manage"
>> }
>> ],
>> "owner": "0892e431-5daf-413e-b4cf-eaee121ee447"
>> }'
>>
>> Everything seems OK.
>>
>>
>> On Tue, Nov 14, 2017 at 1:44 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Try this:
>>>
>>> curl -X POST \
>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>> ret=myclientsecret'
>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/op
>>> enid-connect/token"
>>>
>>> Without BASIC but credentials as form parameters.
>>>
>>> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Thanks, actually I saw it but I didn't understand where this bit came
>>>> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>>>
>>>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> The problem here is that you got an access token (that you are using
>>>>> as a bearer to access Protection API) using resource owner password grant
>>>>> type (direct grant). That means the subject of the token is an user
>>>>> (username) and not the resource server itself.
>>>>>
>>>>> Only resource servers (your client application) are allowed to access
>>>>> the Protection API (and managed resources).
>>>>>
>>>>> The access token you got is valid to query for permissions though. As
>>>>> you want to obtain a set of permission an user has. Where the token
>>>>> represents user identity.
>>>>>
>>>>> You should fix that error by obtaining a access token for your client.
>>>>> Something like that (from docs):
>>>>>
>>>>> curl -X POST \
>>>>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>>>     -d 'grant_type=client_credentials' \
>>>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>>>
>>>>>
>>>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Thanks for the documentation, after reading it I found that I can use
>>>>>> "entitlement" endpoints for my use case.
>>>>>> So I do:
>>>>>>
>>>>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>>>>>> -d 'username=username&password=password&grant_type=password&cli
>>>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-c
>>>>>> onnect/token" | jq .access_token -r`
>>>>>>
>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>>> Bearer $TOKEN" -d '{
>>>>>>     "permissions" : [
>>>>>>         {
>>>>>>             "resource_set_name" : "Houses",
>>>>>>             "scopes" : [
>>>>>>                 "view"
>>>>>>             ]
>>>>>>         }
>>>>>>     ]
>>>>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>>>> /myclient"
>>>>>>
>>>>>> Is this correct? It seems to be working.
>>>>>> I am not sure how can I get/create resources via the API.
>>>>>> I tried:
>>>>>>
>>>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>>>> But I get:
>>>>>> {"error":"invalid_clientId","error_description":"Client application
>>>>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in
>>>>>> realm [myrealm]"}
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi again,
>>>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>>>> javascript...
>>>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>>>
>>>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
>>>>>>> psilva at redhat.com> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> It seems you are looking for fine-grained permissions. Could you
>>>>>>>> take a look at this example [1] and documentation [2] ?
>>>>>>>>
>>>>>>>> One of the things shown by that example is how to protect resources
>>>>>>>> based on its owner.
>>>>>>>>
>>>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>>>> s/authz/photoz
>>>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>>>> es/index.html
>>>>>>>>
>>>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi guys,
>>>>>>>>> another small question :)
>>>>>>>>>
>>>>>>>>> Suppose you have an API looking like this:
>>>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>>>
>>>>>>>>> Cars have an owner:
>>>>>>>>> {
>>>>>>>>>   name: "my car"
>>>>>>>>>   owner: "smith"
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> How to make sure that you can only get cars that are yours (you
>>>>>>>>> can have
>>>>>>>>> several cars)?
>>>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>>>>> large: it
>>>>>>>>> could yield cars that are not yours,
>>>>>>>>> 2. reply with "Access denied" if the response list contains some
>>>>>>>>> cars that
>>>>>>>>> are not yours,
>>>>>>>>> 3. filter the response car list with only yours?
>>>>>>>>>
>>>>>>>>> It seems that 1. is the simplest because it uses only the request
>>>>>>>>> to make
>>>>>>>>> decisions.
>>>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>>>> collaboration
>>>>>>>>> of the response handler in my API server, in order to implement the
>>>>>>>>> filtering.
>>>>>>>>> What is the most standard way?
>>>>>>>>>
>>>>>>>>> I have also some trouble understanding how to implement that with
>>>>>>>>> Keycloak
>>>>>>>>> protect in NodeJS.
>>>>>>>>> Cheers!!
>>>>>>>>> Corentin
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


More information about the keycloak-user mailing list