<div dir="ltr">I'd like to rewrite it to be all REST to be nice and modern and cool :)</div><div class="gmail_extra"><br><div class="gmail_quote">On 4 May 2016 at 17:15, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>+1 to use the token. If relying on
token is bad for security, then "external" application would be
broken too, isn't it?<br>
<br>
But another issue is, that account management doesn't have token
as there is not full OIDC here. It relies just on the cookie
authentication. We can sort it easily by having helper methods
"isMemberOf", which will take all direct and indirect roles
memberhips though. <br>
<br>
Or are we going to rewrite account management to be angular+REST ?
It seems it will help with much more things (REST endpoints for
users, no CSRF issues, possibly better UI).<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span><div><div class="h5"><br>
<br>
<br>
<br>
On 04/05/16 17:09, Stian Thorgersen wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<p dir="ltr">We really need to remove this stuff and just rely on
the token.</p>
<div class="gmail_quote">On 4 May 2016 17:06, "Marek Posolda" <<a href="mailto:mposolda@redhat.com" target="_blank"></a><a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Yeah, information is available. Problem is that it's
ignored <span><span> :-) </span></span><br>
<br>
Both admin console and account management are just using
"user.hasRole" when asking if user is member of particular
role. This returns false for the role mappings, which are
available indirectly through groups.<br>
<br>
Marek<br>
<br>
On 04/05/16 16:50, Bill Burke wrote:<br>
</div>
<blockquote type="cite">
<p>This was by design. Since the information is available
to these built-in applications, it seemed that much
safer to ignore the token permissions.<br>
</p>
<br>
<div>On 5/4/2016 10:43 AM, Marek Posolda wrote:<br>
</div>
<blockquote type="cite">
<div>Just tested the scenario and I confirm there is an
issue. It would work for all your external
applications, as roles, which are indirectly assigned
to user through group mappings, are correctly
available inside accessToken. However Keycloak builtin
applications (admin console and account management)
doesn't read roles from the token, hence it doesn't
work there. I've created JIRA for:<br>
admin console: <a href="https://issues.jboss.org/browse/KEYCLOAK-2969" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2969</a><br>
account management: <a href="https://issues.jboss.org/browse/KEYCLOAK-2970" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2970</a><br>
<br>
Marek<br>
<br>
On 02/05/16 22:33, Jason Axley wrote:<br>
</div>
<blockquote type="cite">
<div>I have an LDAP user who is definitely listed as
being in a given LDAP group in Keycloak admin
console.</div>
<div><br>
</div>
<div>If I grant the User the admin Realm Role in the
master realm, they can login and access the admin
console for the master realm. </div>
<div><br>
</div>
<div>However, if I remove the direct role grant from
the user and add it to the LDAP group, keycloak
doesn’t think the user has the role and gives an
error that the user “<span>You
don't have access to the requested resource.</span>”
with the below exception:</div>
<div><br>
</div>
<div>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span>2016-05-02 20:25:37,677 ERROR
[org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-2) RESTEASY002005: Failed
executing GET /admin/serverinfo:
org.keycloak.services.ForbiddenException</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.keycloak.services.resources.admin.AdminRoot.getServerInfo(AdminRoot.java:231)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
java.lang.reflect.Method.invoke(Method.java:483)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">
<span><span style="white-space:pre-wrap"></span>at
java.lang.Thread.run(Thread.java:745)</span></p>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:14px">
<span></span><br>
</p>
</div>
<div>
<p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:14px">
<span></span></p>
</div>
<div><br>
</div>
<div>Is there something magical that needs to be
configured for this to work? Or does this look like
a bug?</div>
<div><br>
</div>
<div>I also did a quick test where I created a new
local group and did the same role assignment to the
group, and assigned the group to the same LDAP user
and it did not grant access.</div>
<div><br>
</div>
<div>
<div>
<div style="font-size:14px">
<div>-Jason</div>
</div>
<div style="font-size:14px"><br>
</div>
<div>
<p class="MsoNormal" style="font-size:11pt;margin:0in 0in 0.0001pt;background-color:white"> <b><span style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(23,54,93)">Jason
Axley</span></b></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;background-color:white"><span style="font-family:Arial,sans-serif;color:rgb(227,108,10)"><font size="2">Sr. Security Engineer, Expedia
Worldwide Engineering Team</font></span></p>
<p class="MsoNormal" style="font-size:11pt;margin:0in 0in 0.0001pt"><span style="font-size:8pt;color:rgb(31,73,125)"><a href="tel:425-679-4157" value="+14256794157" target="_blank">425-679-4157</a>
(o) | <a href="tel:206-484-2778" value="+12064842778" target="_blank">206-484-2778</a>
(m) | 206-55-AXLEY (gv)</span></p>
<p class="MsoNormal" style="font-size:11pt;margin:0in 0in 0.0001pt"><span style="font-size:8pt;color:rgb(31,73,125)">333
108th Ave NE, 9S-282, Bellevue, WA 98004</span></p>
<p class="MsoNormal" style="font-size:11pt;margin:0in 0in 0.0001pt"><span style="font-size:8pt;color:rgb(31,73,125)"><a href="https://confluence/display/POS/EWE+Security" target="_blank">EWE Security Wiki</a></span></p>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<pre cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>