[keycloak-user] NPE when requesting authorization
Corentin Dupont
corentin.dupont at gmail.com
Wed Jul 4 08:31:42 EDT 2018
I have another weird behavior (with github HEAD).
When requesting a permission on a non existing resource, I still get a
token.
This token contains all the permissions.
Is it correct? Shouldn't it be 404 or something?
$ USERTOKEN=`curl -X POST -H "Content-Type:
application/x-www-form-urlencoded" -d
'username=xx&password=xx&grant_type=password&client_id=api-server&client_secret=xxx'
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
jq .access_token -r`
$ curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=not_exist#sensors:view"
{"upgraded":false,"access_token":"eyJhbGciOiJSUzI......
On Tue, Jul 3, 2018 at 5:00 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
> It should be fixed now in master and available in next release.
> https://github.com/keycloak/keycloak/pull/5346.
>
> Thanks !
>
> On Tue, Jul 3, 2018 at 10:39 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Yes, I see that this error happens when the resource does not exists.
>> However, with my user "guest", it happens all the time, even when the
>> resource does exist...
>>
>> On Tue, Jul 3, 2018 at 2:15 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> OK. Found the issue. Will fix it. Problem is that Sensortest does not
>>> exist and program enters in a state that a resource-less permission causes
>>> that error.
>>>
>>> On Mon, Jul 2, 2018 at 10:05 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> I got this error when requesting authorization on a resource:
>>>>
>>>> $ curl -X POST
>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>> -H
>>>> "Authorization: Bearer $USERTOKEN" -d
>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>>> ence=api-server&permission=Sensortest#sensors:view"
>>>>
>>>> {"error":"server_error","error_description":"Unexpected error while
>>>> evaluating permissions"}
>>>>
>>>> On the server side I get:
>>>>
>>>> 12:42:11,821 ERROR
>>>> [org.keycloak.authorization.authorization.AuthorizationTokenService]
>>>> (default task-16) Unexpected error while evaluating permissions:
>>>> java.lang.NullPointerException
>>>> at
>>>> org.keycloak.authorization.util.Permissions.permits(Permissi
>>>> ons.java:194)
>>>> at
>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>> ervice.authorize(AuthorizationTokenService.java:173)
>>>> at
>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissio
>>>> nGrant(TokenEndpoint.java:1124)
>>>> at
>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGr
>>>> antRequest(TokenEndpoint.java:190)
>>>> at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source)
>>>> at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>> thodAccessorImpl.java:43)
>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>
>>>>
>>>> I got my token this way:
>>>> USERTOKEN=`curl -X POST -H "Content-Type:
>>>> application/x-www-form-urlencoded" -d
>>>> 'username=guest&password=guest&grant_type=password&client_id
>>>> =api-server&client_secret=xxx'
>>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>> |
>>>> jq .access_token -r`
>>>>
>>>> This seems to happen for scope-based policies.
>>>>
>>>> Cheers
>>>> Corentin
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
More information about the keycloak-user
mailing list