[keycloak-user] Unspecified behavior of token endpoint when obtaining permissions

Lamina, Marco marco.lamina at sap.com
Wed Nov 14 13:44:03 EST 2018 

The permission to my resources is not given using the UMA flow, but by policies and permissions that I defined manually.
For example, I have a resource-type-based permission that combines two policies with the “affirmative” strategy:

  1.  “User is resource owner” – JS-based policy
  2.  “User is admin” – role-based policy

My assumption was that this will grant full access to any resources of that type if a user is either its owner or is assigned the ‘admin’ role. Using the evaluation tool, I can verify that admins have permission to access any resource of that type with any scope. But still, these resources do not show up in the permissions list I receive from the token endpoint.

For context: I need this type of request to query my database for all objects that a given token has access to. Maybe I’m going about this the wrong way? Would love to hear your suggestions!


From: Pedro Igor Silva <psilva at redhat.com>
Date: Wednesday, November 14, 2018 at 4:04 AM
To: "Lamina, Marco" <marco.lamina at sap.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions

When asking for *all* permissions a user has, the policy evaluation engine resolves the resources as follows:

1) Get all resources owned by the user
2) Get all resources owned by the resource server
3) Get all resources granted by another user to the user based on UMA and permission tickets.

NOTE: when doing an "all" request we don't fetch all resources managed by the server.

If you are not getting the resources owned by other users is probably because they were not granted based on permission tickets (UMA flow). I would suggest you to get the id for one of these resources and send an authorization request using the resource id to see what you get.

Regards.
Pedro Igor

On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco <marco.lamina at sap.com<mailto:marco.lamina at sap.com>> wrote:
Hi,
I am trying to use Keycloak’s token endpoint to obtain a list of all resources and the respective scopes that a user has permission to access. However, the behavior I am observing does not match what is described in the documentation (Link [1]). I am using the token endpoint as shown in Link [2].

Expected behavior:
Token endpoint returns a list of all resources and scopes that the token’s user has permission to access.

Observed behavior:
Token endpoint only returns resources that are owned by either the token’s user or the resource server itself. Resources owned by other users are not listed, even though the token’s user has permission to access them.

Is that a bug or expected behavior?

Links:

[1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
[2] https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545

Thanks,
Marco

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list