[keycloak-user] Bug? Shared UMA resource not accessible

Pedro Igor Silva psilva at redhat.com
Fri Nov 2 11:53:20 EDT 2018 

Hi,

For UMA protected resources you should use the resource id within the
"permission" parameter. The reason being that the server could not infer
the correct resource based on the name. Another option is using the regular
UMA flow with permission tickets.

Regards.
Pedro Igor

On Fri, Nov 2, 2018 at 12:49 PM Ulrik Sjölin <ulrik.sjolin at gmail.com> wrote:

> Hello there,
>
> I wonder if anyone is experiencing this problem and if anyone out
> there has a workaround (I am running 4.5.0).
>
> The problem I have comes up in a really simple situation:
> JDoe has 1 resource (JDoeResource) that he shares with Alice (scope:
> JDoeScope).
>
> Alice tries to access that resource with
> permission=JDoeResource#JDoeScope. This fails with a “400 bad request”
> when
> it should return the resource in question. I wonder if this is
> [KEYCLOAK-8448] that I am seeing.
>
> When alice tries to access the resource with
> permission=<JDoeResource-ID>#JDoeScope or by just specifying
> permission=#JDoeScope
> everything works fine.
>
> Below there is a small script that recreates and demonstrates the problem.
>
> Any help in this matter would be greatly appreciated.
>
> Best Regards,
>
> Ulrik Sjölin
>
>
> In order to run the script below you need to have the tools ‘jwt-cli’
> and ‘jq’ installed.
>
> #!/bin/bash
> export host=keycloak
> export port=8080
> export realm=myrealm
> export resource_server_client_id=my-service
> export resource_server_client_secret=88888888-8888-8888-8888-888888888888
> export username=alice
> export password=alice
> export resource_owner=jdoe
> export resource_name=JDoeResource
> export scope=JDoeScope
>
> export access_token=\
> `curl --silent \
> http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
> \
> -d client_id=${resource_server_client_id} \
> -d client_secret=${resource_server_client_secret} \
> -d username=${username} \
> -d password=${password} \
> -d grant_type=password \
> | jq -r ".access_token"`
>
> export result=\
> `curl --silent -X GET \
> http://
> ${host}:${port}/auth/realms/${realm}/authz/protection/resource_set?name=${resource_name}
> \
> -H "Authorization: Bearer ${access_token}" \
> | jq -r ".[0]"`
>
> if [ "$result" = "null" ]; then
> export new_id=`curl --silent -X POST \
> http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set
> \
> -H "content-type: application/json" \
> -H "Authorization: Bearer ${access_token}" \
> --data @<(cat <{
> "name":"${resource_name}",
> "type":"Entities",
> "owner":"${resource_owner}",
> "ownerManagedAccess":"true",
> "resource_scopes":["JDoeScope"]
> }
> EOF
> ) | jq -r "._id"`
>
> echo "Created resource with id: ${new_id}"
> echo "Log in with user ${resource_owner} into keycloak"
> echo "and share ${resource_name} with ${username}"
> echo "When that is done, run this script again"
> else
> echo "Found resource with id: ${result}"
> resource_id=$result
> fi
>
> export result=\
> `curl --silent -X POST \
> http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
> \
> -H "Authorization: Bearer ${access_token}" \
> --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
> --data "audience=${resource_server_client_id}" \
> --data "permission=#${scope}" \
> | jq -r ".access_token"`
>
> export result=`jwt $result | grep ${resource_name}`
> echo "permission=#${scope}: ${result}"
>
> export result=\
> `curl --silent -X POST \
> http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
> \
> -H "Authorization: Bearer ${access_token}" \
> --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
> --data "audience=${resource_server_client_id}" \
> --data "permission=${resource_id}#${scope}" \
> | jq -r ".access_token"`
>
> export result=`jwt $result | grep ${resource_name}`
> echo "permission=${resource_id}#${scope}: $result"
>
> export result=\
> `curl --silent -X POST \
> http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
> \
> -H "Authorization: Bearer ${access_token}" \
> --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
> --data "audience=${resource_server_client_id}" \
> --data "permission=${resource_name}#${scope}" \
> | jq -r ".access_token"`
>
> export result=`jwt $result | grep ${resource_name}`
> echo "permission=${resource_name}#${scope}: ${result}"
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list