[keycloak-user] UMA vs OAuth

Dmitry Pichugin pdomsk at gmail.com
Fri Aug 17 05:32:48 EDT 2018 

Have created - https://issues.jboss.org/browse/KEYCLOAK-8071

On Thu, 16 Aug 2018 at 15:46, Pedro Igor Silva <psilva at redhat.com> wrote:

> This seems to be a bug. I also tried here and I could reproduce the issue
> (after removing default client scopes email and profile from client). Would
> you mind creating a JIRA, please ?
>
> Regards.
>
> On Wed, Aug 15, 2018 at 7:33 PM, Dmitry Pichugin <pdomsk at gmail.com> wrote:
>
>> We do support. Could you elaborate more what you are trying to achieve ?
>>
>>
>> Pedro, thank you for the answer!  You are right.
>>
>> We tried to apply UMA for simple OAuth scenario "Client Credential flow"
>> and it was a mistake. We only need to get access token, which contains
>> scopes. Yes, it's work in KeyCloak.
>>
>> But we have another problem: when we tried to request an access token
>> with scopes which are not been existed or not been assigned to the client,
>> as a result, we received the access token with fill "scope" parameters.
>>
>> Request:
>>
>> curl -X "POST" -d "client_id=testclient&client_secret=secret&grant_type=
>> client_credentials&scope=unexisted_scope"
>> http://keykcloak_server:8080/auth/realms/master/protocol/openid-connect/token
>> <http://10.44.32.19:8080/auth/realms/master/protocol/openid-connect/token>
>>
>> Response:
>>
>> {
>>     "access_token": "eyJhbG[...]1LQ",
>>     "token_type": "Bearer",
>>     "expires_in": 3600,
>>     *"scope": ""*
>> }
>>
>> But,  according to  RFC 6749 The OAuth 2.0 Authorization Framework
>> <https://tools.ietf.org/html/rfc6749> point, we must get the error "
>> invalid_scope".
>>
>> 4.1.4 <https://tools.ietf.org/html/rfc6749#section-4.1.4>. Access Token
>> Response
>>
>>    If the access token request is valid and authorized, the
>>    authorization server issues an access token and optional refresh
>>    token as described in Section 5.1 <https://tools.ietf.org/html/rfc6749#section-5.1>.  If the request client
>>    authentication failed or is invalid, the authorization server returns
>>    an error response as described in Section 5.2 <https://tools.ietf.org/html/rfc6749#section-5.2>.
>>
>>
>> and point
>>
>>
>> 5.2 <https://tools.ietf.org/html/rfc6749#section-5.2>.  Error Response
>>
>> *.....*
>>
>> invalid_scope
>>                The requested scope is invalid, unknown, malformed, or
>>                exceeds the scope granted by the resource owner.
>>
>>
>>
>> We tried to find something in client settings for fixing problem, but nothing to find. Could you reply, is it a KeyCloak's error or we can't find some special "setting" in the interface?
>>
>>
>> Best regards. Dmitry Pichugin.
>>
>>
>> On Wed, 15 Aug 2018 at 14:31, Pedro Igor Silva <psilva at redhat.com> wrote:
>>
>>> On Wed, Aug 15, 2018 at 7:35 AM, Dmitry Pichugin <pdomsk at gmail.com>
>>> wrote:
>>>
>>>> Good day!
>>>>
>>>> We are using Keyclaok in our project, have installed version 4.2.1.
>>>>
>>>> Our task:
>>>>
>>>> - integration with API gateway and use KeyCloak for resources protect.
>>>>
>>>> We would be to use "Client Credentials Flow" from OAuth specs. But
>>>> during
>>>> version 4, KeyCloak does not support OAuth and is recommended to apply
>>>> UMA
>>>> 2.0.
>>>>
>>>
>>> I'm not sure what you mean here. Where did you find this recommendation ?
>>>
>>>
>>>>
>>>> Yes, the differences between UMA and OAuth not huge, as a request and
>>>> response(JWT token) formats, UMA has specific logic with RPT-token etc
>>>> and
>>>> UMA gives some advantages(we do not have the plan to use it).
>>>>
>>>
>>> UMA is a standard mainly targeted for privacy (although there are other
>>> benefits in using even if not for privacy), if you don't need users
>>> managing their own resources, sharing, etc, yeah, you probably don't need
>>> it. However, keep in mind that UMA support is one of the capabilities we
>>> support in Keycloak Authorization Services, you can still use Keycloak to
>>> enforce access to your protected resources using permissions
>>> managed/granted by the server.
>>>
>>>
>>>>
>>>> We try to make a request in OAuth specs but got the error.
>>>>
>>>> Why does KeyCloak not support OAuth and UMA 2.0 same time? Do you have
>>>> some
>>>> specific reasons for this?
>>>>
>>>
>>> We do support. Could you elaborate more what you are trying to achieve ?
>>>
>>>
>>>>
>>>> Thank you!
>>>>
>>>> Best regards. Dmitry Pichugin.
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>

More information about the keycloak-user mailing list