[keycloak-user] UMA vs OAuth
Dmitry Pichugin
pdomsk at gmail.com
Wed Aug 15 18:33:49 EDT 2018
>
> We do support. Could you elaborate more what you are trying to achieve ?
Pedro, thank you for the answer! You are right.
We tried to apply UMA for simple OAuth scenario "Client Credential flow"
and it was a mistake. We only need to get access token, which contains
scopes. Yes, it's work in KeyCloak.
But we have another problem: when we tried to request an access token with
scopes which are not been existed or not been assigned to the client, as a
result, we received the access token with fill "scope" parameters.
Request:
curl -X "POST" -d "client_id=testclient&client_secret=secret&grant_type=
client_credentials&scope=unexisted_scope"
http://keykcloak_server:8080/auth/realms/master/protocol/openid-connect/token
<http://10.44.32.19:8080/auth/realms/master/protocol/openid-connect/token>
Response:
{
"access_token": "eyJhbG[...]1LQ",
"token_type": "Bearer",
"expires_in": 3600,
*"scope": ""*
}
But, according to RFC 6749 The OAuth 2.0 Authorization Framework
<https://tools.ietf.org/html/rfc6749> point, we must get the error "
invalid_scope".
4.1.4 <https://tools.ietf.org/html/rfc6749#section-4.1.4>. Access Token
Response
If the access token request is valid and authorized, the
authorization server issues an access token and optional refresh
token as described in Section 5.1
<https://tools.ietf.org/html/rfc6749#section-5.1>. If the request
client
authentication failed or is invalid, the authorization server returns
an error response as described in Section 5.2
<https://tools.ietf.org/html/rfc6749#section-5.2>.
and point
5.2 <https://tools.ietf.org/html/rfc6749#section-5.2>. Error Response
*.....*
invalid_scope
The requested scope is invalid, unknown, malformed, or
exceeds the scope granted by the resource owner.
We tried to find something in client settings for fixing problem, but
nothing to find. Could you reply, is it a KeyCloak's error or we can't
find some special "setting" in the interface?
Best regards. Dmitry Pichugin.
On Wed, 15 Aug 2018 at 14:31, Pedro Igor Silva <psilva at redhat.com> wrote:
> On Wed, Aug 15, 2018 at 7:35 AM, Dmitry Pichugin <pdomsk at gmail.com> wrote:
>
>> Good day!
>>
>> We are using Keyclaok in our project, have installed version 4.2.1.
>>
>> Our task:
>>
>> - integration with API gateway and use KeyCloak for resources protect.
>>
>> We would be to use "Client Credentials Flow" from OAuth specs. But during
>> version 4, KeyCloak does not support OAuth and is recommended to apply UMA
>> 2.0.
>>
>
> I'm not sure what you mean here. Where did you find this recommendation ?
>
>
>>
>> Yes, the differences between UMA and OAuth not huge, as a request and
>> response(JWT token) formats, UMA has specific logic with RPT-token etc and
>> UMA gives some advantages(we do not have the plan to use it).
>>
>
> UMA is a standard mainly targeted for privacy (although there are other
> benefits in using even if not for privacy), if you don't need users
> managing their own resources, sharing, etc, yeah, you probably don't need
> it. However, keep in mind that UMA support is one of the capabilities we
> support in Keycloak Authorization Services, you can still use Keycloak to
> enforce access to your protected resources using permissions
> managed/granted by the server.
>
>
>>
>> We try to make a request in OAuth specs but got the error.
>>
>> Why does KeyCloak not support OAuth and UMA 2.0 same time? Do you have
>> some
>> specific reasons for this?
>>
>
> We do support. Could you elaborate more what you are trying to achieve ?
>
>
>>
>> Thank you!
>>
>> Best regards. Dmitry Pichugin.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
More information about the keycloak-user
mailing list