[keycloak-user] UMA vs OAuth

Pedro Igor Silva psilva at redhat.com
Thu Aug 16 08:46:38 EDT 2018 

This seems to be a bug. I also tried here and I could reproduce the issue
(after removing default client scopes email and profile from client). Would
you mind creating a JIRA, please ?

Regards.

On Wed, Aug 15, 2018 at 7:33 PM, Dmitry Pichugin <pdomsk at gmail.com> wrote:

> We do support. Could you elaborate more what you are trying to achieve ?
>
>
> Pedro, thank you for the answer!  You are right.
>
> We tried to apply UMA for simple OAuth scenario "Client Credential flow"
> and it was a mistake. We only need to get access token, which contains
> scopes. Yes, it's work in KeyCloak.
>
> But we have another problem: when we tried to request an access token with
> scopes which are not been existed or not been assigned to the client, as a
> result, we received the access token with fill "scope" parameters.
>
> Request:
>
> curl -X "POST" -d "client_id=testclient&client_secret=secret&grant_type=
> client_credentials&scope=unexisted_scope"  http://keykcloak_
> server:8080/auth/realms/master/protocol/openid-connect/token
> <http://10.44.32.19:8080/auth/realms/master/protocol/openid-connect/token>
>
> Response:
>
> {
>     "access_token": "eyJhbG[...]1LQ",
>     "token_type": "Bearer",
>     "expires_in": 3600,
>     *"scope": ""*
> }
>
> But,  according to  RFC 6749 The OAuth 2.0 Authorization Framework
> <https://tools.ietf.org/html/rfc6749> point, we must get the error "
> invalid_scope".
>
> 4.1.4 <https://tools.ietf.org/html/rfc6749#section-4.1.4>. Access Token
> Response
>
>    If the access token request is valid and authorized, the
>    authorization server issues an access token and optional refresh
>    token as described in Section 5.1 <https://tools.ietf.org/html/rfc6749#section-5.1>.  If the request client
>    authentication failed or is invalid, the authorization server returns
>    an error response as described in Section 5.2 <https://tools.ietf.org/html/rfc6749#section-5.2>.
>
>
> and point
>
>
> 5.2 <https://tools.ietf.org/html/rfc6749#section-5.2>.  Error Response
>
> *.....*
>
> invalid_scope
>                The requested scope is invalid, unknown, malformed, or
>                exceeds the scope granted by the resource owner.
>
>
>
> We tried to find something in client settings for fixing problem, but nothing to find. Could you reply, is it a KeyCloak's error or we can't find some special "setting" in the interface?
>
>
> Best regards. Dmitry Pichugin.
>
>
> On Wed, 15 Aug 2018 at 14:31, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> On Wed, Aug 15, 2018 at 7:35 AM, Dmitry Pichugin <pdomsk at gmail.com>
>> wrote:
>>
>>> Good day!
>>>
>>> We are using Keyclaok in our project, have installed version 4.2.1.
>>>
>>> Our task:
>>>
>>> - integration with API gateway and use KeyCloak for resources protect.
>>>
>>> We would be to use "Client Credentials Flow" from OAuth specs. But during
>>> version 4, KeyCloak does not support OAuth and is recommended to apply
>>> UMA
>>> 2.0.
>>>
>>
>> I'm not sure what you mean here. Where did you find this recommendation ?
>>
>>
>>>
>>> Yes, the differences between UMA and OAuth not huge, as a request and
>>> response(JWT token) formats, UMA has specific logic with RPT-token etc
>>> and
>>> UMA gives some advantages(we do not have the plan to use it).
>>>
>>
>> UMA is a standard mainly targeted for privacy (although there are other
>> benefits in using even if not for privacy), if you don't need users
>> managing their own resources, sharing, etc, yeah, you probably don't need
>> it. However, keep in mind that UMA support is one of the capabilities we
>> support in Keycloak Authorization Services, you can still use Keycloak to
>> enforce access to your protected resources using permissions
>> managed/granted by the server.
>>
>>
>>>
>>> We try to make a request in OAuth specs but got the error.
>>>
>>> Why does KeyCloak not support OAuth and UMA 2.0 same time? Do you have
>>> some
>>> specific reasons for this?
>>>
>>
>> We do support. Could you elaborate more what you are trying to achieve ?
>>
>>
>>>
>>> Thank you!
>>>
>>> Best regards. Dmitry Pichugin.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>

More information about the keycloak-user mailing list