[keycloak-user] Unspecified behavior of token endpoint when obtaining permissions

Wed Nov 14 16:40:23 EST 2018

I mentioned a possible solution in another thread which was about data
filtering. What if you push back claims from your policies where these
claims represent conditions that should be added to your query. See
http://lists.jboss.org/pipermail/keycloak-user/2018-November/016213.html.

Regards.
Pedro Igor

On Wed, Nov 14, 2018 at 6:56 PM Lamina, Marco <marco.lamina at sap.com> wrote:

> Correct, in this particular case that might be true. However, in the
> future there will be a more complex scenario with different types of
> permissions and users involved. For now I am using the following workaround
> to implement my use case on the resource server:
>
>    1. Request a PAT token from Keycloak
>    2. List all resources of a certain type via
>    {keycloak}/auth/realms/${realm_name}/authz/protection/resource_set?type={type}
>    3. Send a permissions request to the token endpoint with a
>    permission={resource_id}#{my_scope} item for every resource ID from 2),
>    using the user’s access token in the header
>    4. The resulting list contains all resources a user can access with a
>    given scope
>
>
>
> This gives me the correct result, but doesn’t scale well if I end up
> having a lot of resources.
>
>
>
>
>
> *From: *Pedro Igor Silva <psilva at redhat.com>
> *Date: *Wednesday, November 14, 2018 at 12:35 PM
> *To: *"Lamina, Marco" <marco.lamina at sap.com>
> *Cc: *keycloak-user <keycloak-user at lists.jboss.org>
> *Subject: *Re: [keycloak-user] Unspecified behavior of token endpoint
> when obtaining permissions
>
>
>
> I see. As I mentioned before, the specific resource (owned by a different
> user) is not processed by the policy evaluation engine.
>
>
>
> For this particular case, if the user is granted with the typed resource
> you could just assume that she/he can fetch any resource from the database
> with the same logical type, right ?
>
> On Wed, Nov 14, 2018 at 4:44 PM Lamina, Marco <marco.lamina at sap.com>
> wrote:
>
> The permission to my resources is not given using the UMA flow, but by
> policies and permissions that I defined manually.
>
> For example, I have a resource-type-based permission that combines two
> policies with the “affirmative” strategy:
>
>    1. “User is resource owner” – JS-based policy
>    2. “User is admin” – role-based policy
>
>
>
> My assumption was that this will grant full access to any resources of
> that type if a user is either its owner or is assigned the ‘admin’ role.
> Using the evaluation tool, I can verify that admins have permission to
> access any resource of that type with any scope. But still, these resources
> do not show up in the permissions list I receive from the token endpoint.
>
>
>
> For context: I need this type of request to query my database for all
> objects that a given token has access to. Maybe I’m going about this the
> wrong way? Would love to hear your suggestions!
>
>
>
>
>
> *From: *Pedro Igor Silva <psilva at redhat.com>
> *Date: *Wednesday, November 14, 2018 at 4:04 AM
> *To: *"Lamina, Marco" <marco.lamina at sap.com>
> *Cc: *keycloak-user <keycloak-user at lists.jboss.org>
> *Subject: *Re: [keycloak-user] Unspecified behavior of token endpoint
> when obtaining permissions
>
>
>
> When asking for *all* permissions a user has, the policy evaluation engine
> resolves the resources as follows:
>
>
>
> 1) Get all resources owned by the user
>
> 2) Get all resources owned by the resource server
>
> 3) Get all resources granted by another user to the user based on UMA and
> permission tickets.
>
>
>
> NOTE: when doing an "all" request we don't fetch all resources managed by
> the server.
>
>
>
> If you are not getting the resources owned by other users is probably
> because they were not granted based on permission tickets (UMA flow). I
> would suggest you to get the id for one of these resources and send an
> authorization request using the resource id to see what you get.
>
>
>
> Regards.
>
> Pedro Igor
>
>
>
> On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco <marco.lamina at sap.com>
> wrote:
>
> Hi,
> I am trying to use Keycloak’s token endpoint to obtain a list of all
> resources and the respective scopes that a user has permission to access.
> However, the behavior I am observing does not match what is described in
> the documentation (Link [1]). I am using the token endpoint as shown in
> Link [2].
>
> Expected behavior:
> Token endpoint returns a list of all resources and scopes that the token’s
> user has permission to access.
>
> Observed behavior:
> Token endpoint only returns resources that are owned by either the token’s
> user or the resource server itself. Resources owned by other users are not
> listed, even though the token’s user has permission to access them.
>
> Is that a bug or expected behavior?
>
> Links:
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
> [2]
> https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545
>
> Thanks,
> Marco
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>