[keycloak-user] Unspecified behavior of token endpoint when obtaining permissions

Lamina, Marco marco.lamina at sap.com
Wed Nov 14 15:55:48 EST 2018


Correct, in this particular case that might be true. However, in the future there will be a more complex scenario with different types of permissions and users involved. For now I am using the following workaround to implement my use case on the resource server:

  1.  Request a PAT token from Keycloak
  2.  List all resources of a certain type via {keycloak}/auth/realms/${realm_name}/authz/protection/resource_set?type={type}
  3.  Send a permissions request to the token endpoint with a permission={resource_id}#{my_scope} item for every resource ID from 2), using the user’s access token in the header
  4.  The resulting list contains all resources a user can access with a given scope

This gives me the correct result, but doesn’t scale well if I end up having a lot of resources.


From: Pedro Igor Silva <psilva at redhat.com>
Date: Wednesday, November 14, 2018 at 12:35 PM
To: "Lamina, Marco" <marco.lamina at sap.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions

I see. As I mentioned before, the specific resource (owned by a different user) is not processed by the policy evaluation engine.

For this particular case, if the user is granted with the typed resource you could just assume that she/he can fetch any resource from the database with the same logical type, right ?
On Wed, Nov 14, 2018 at 4:44 PM Lamina, Marco <marco.lamina at sap.com<mailto:marco.lamina at sap.com>> wrote:
The permission to my resources is not given using the UMA flow, but by policies and permissions that I defined manually.
For example, I have a resource-type-based permission that combines two policies with the “affirmative” strategy:

  1.  “User is resource owner” – JS-based policy
  2.  “User is admin” – role-based policy

My assumption was that this will grant full access to any resources of that type if a user is either its owner or is assigned the ‘admin’ role. Using the evaluation tool, I can verify that admins have permission to access any resource of that type with any scope. But still, these resources do not show up in the permissions list I receive from the token endpoint.

For context: I need this type of request to query my database for all objects that a given token has access to. Maybe I’m going about this the wrong way? Would love to hear your suggestions!


From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Date: Wednesday, November 14, 2018 at 4:04 AM
To: "Lamina, Marco" <marco.lamina at sap.com<mailto:marco.lamina at sap.com>>
Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions

When asking for *all* permissions a user has, the policy evaluation engine resolves the resources as follows:

1) Get all resources owned by the user
2) Get all resources owned by the resource server
3) Get all resources granted by another user to the user based on UMA and permission tickets.

NOTE: when doing an "all" request we don't fetch all resources managed by the server.

If you are not getting the resources owned by other users is probably because they were not granted based on permission tickets (UMA flow). I would suggest you to get the id for one of these resources and send an authorization request using the resource id to see what you get.

Regards.
Pedro Igor

On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco <marco.lamina at sap.com<mailto:marco.lamina at sap.com>> wrote:
Hi,
I am trying to use Keycloak’s token endpoint to obtain a list of all resources and the respective scopes that a user has permission to access. However, the behavior I am observing does not match what is described in the documentation (Link [1]). I am using the token endpoint as shown in Link [2].

Expected behavior:
Token endpoint returns a list of all resources and scopes that the token’s user has permission to access.

Observed behavior:
Token endpoint only returns resources that are owned by either the token’s user or the resource server itself. Resources owned by other users are not listed, even though the token’s user has permission to access them.

Is that a bug or expected behavior?

Links:

[1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
[2] https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545

Thanks,
Marco

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list