[keycloak-user] Evaluation of RPT in admin console does not match Rest request result...
Pedro Igor Silva
psilva at redhat.com
Fri Sep 6 10:44:36 EDT 2019
Hi Axel,
Sorry for the late reply. If the user is granted with both roles, both
should be available in the token.
I think you should also have Role B in the evaluation result though. I'll
see If I can reproduce and understand why the RPT from the token endpoint
is different.
On Fri, Aug 30, 2019 at 9:31 AM Axel <axelmak at gmail.com> wrote:
> Hello.
> Keycloak 6.0.1 and 7
> Can anyone help me with understanding of evaluating RPT?
> Scenario:
> 2 Realm Roles - RoleA and RoleB
> 1 user with both realm roles
> 2 clients:
> clientA public (or confidential) with Scope=RoleA
> clientB confidential and Authorization-Enabled with Scope=RoleA,RoleB
>
> When I go to clientB
> Authorization-Evaluate
> set Client = clientA
> set User = user
> choose Any resource with scope(s) Any scope.
> and see:
> {
> "jti": "7692f97f-3907-4e1b-a784-663c52f33bc7",
> "exp": 1567062109,
> "nbf": 0,
> "iat": 1567061809,
> "aud": "clientB",
> "sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607",
> "typ": "Bearer",
> "azp": "clientA",
> "auth_time": 0,
> "session_state": "ff2e581c-0663-4b8c-9332-629b02c02729",
> "acr": "1",
> "realm_access": {
> "roles": [
> "RoleA"
> ]
> },
> "authorization": {
> "permissions": [
> {
> "rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139",
> "rsname": "Default Resource"
> }
> ]
> },
> "scope": "email profile",
> "email_verified": false,
> "preferred_username": "user"
> }
> here I see that I have only RoleA (that is correct - I'm going through
> clientA)
>
> But when I make requests:
> curl -d 'client_id=clientA' -d 'username=user' -d 'password=1' -d
> 'grant_type=password' '
> http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token'
> grab access-token and
> curl -X POST \
> http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token
> \
> -H "Authorization: Bearer access-token-from-first-curl" \
> --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
> --data "audience=clientB"
>
> I get different jwt:
> {
> "jti": "f956218e-abcf-4017-a6b2-d9c3c82692a2",
> "exp": 1567062641,
> "nbf": 0,
> "iat": 1567062341,
> "iss": "http://localhost:8280/auth/realms/TestRPT",
> "aud": "clientB",
> "sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607",
> "typ": "Bearer",
> "azp": "clientA",
> "auth_time": 0,
> "session_state": "4d556dd0-4d27-4028-ac1d-54afd2e1f20e",
> "acr": "1",
> "realm_access": {
> "roles": [
> "RoleB",
> "RoleA"
> ]
> },
> "authorization": {
> "permissions": [
> {
> "rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139",
> "rsname": "Default Resource"
> }
> ]
> },
> "scope": "email profile",
> "email_verified": false,
> "preferred_username": "user"
> }
>
> Why "RoleB" is in RPT? Do I understand documentation wrong? Wrong RPT
> request?
>
> Our main target is: when user goes through clientA to clientB, clientB
> should receive only those roles that the user has in clientA. We have many
> applications-clients and we want to limit some of them. How can we achieve
> this?
>
> Thanks in advance.
> Alexey Makarevich.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list