[keycloak-user] Possible Bug in ProtectionService.java while retrieving ClientModel in resource_set endpoint
Spike J
dev.spike.j at gmail.com
Fri Apr 27 01:35:55 EDT 2018
Hi there,
I noticed an unfortunate HTTP 500 Server Error, when requesting the
"/protection/resource_set" endpoint of Keycloak. After some debugging it
showed, that the retrieval of the ClientModel returned null, because
identity.getId() returns an User-ID and not the related Client-ID.
Following lines show the current Code vs. my refactored version of
org.keycloak.authorization.protection.ProtectionService.resource() (line
60, master-branch)
This endpoint is requested by an endusers access-token.
Current Code (master-branch), fails:
ClientModel client = realm.getClientById(identity.getId());
--> client = null
--> identity.getId() = user-ID of the user requesting the Endpoint
Refactored Code (works):
ClientModel client = realm.getClientByClientId(identity.getAccessToken().
getIssuedFor());
--> client != null
--> identity.getAccessToken().getIssuedFor() = ClientID (name of the client)
--> calling getClientByClientId() instead of getClientById()
Documentation of this endpoint:
https://www.keycloak.org/docs/latest/authorization_services/
index.html#_service_protection_resources_api
What is the acual purpose of the method "getID()" of KeycloakIdentiy-Class?
In my opinion this class should return the ID of a client and not the ID of
an user.
I am looking forward to your insights regarding this bug.
Best regards
More information about the keycloak-user
mailing list