Hello just to clarify the last question written by Francisco,
i'm also having problems when upgrading the RPT when the requested resource
is not authorized to the user.
This is my current setup:
Users:
Just one user: foouser
Resources:
- foo-resource
- bar-resource
Policies:
- foouser-policy: this policy grants access for only foouser.
Permissions:
- fooresource-foouser-permission: this permission associates the
resource "foo-resource" with the policy "foouser-policy"
I obtained the following valid RPT
{
"jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
"exp": 1531411894,
"nbf": 0,
"iat": 1531375932,
"iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
"aud": "demo-upgrade-rpt",
"sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
"typ": "Bearer",
"azp": "auth-demo-webapp",
"auth_time": 0,
"session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
"acr": "1",
"allowed-origins": [],
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"authorization": {
"permissions": [
{
"rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
"rsname": "foouser-resource"
}
]
},
"scope": "profile email",
"email_verified": false,
"groups": [],
"preferred_username": "foouser"
}
And I tried to upgrade it using a ticket for an unauthorized resource
(bar-resource)
{
"resources": [
{
"id": "c73c3133-b987-4d1f-8195-544735d75433",
"scopes": []
}
],
"jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
"exp": 1531411717,
"nbf": 0,
"iat": 1531375717,
"aud": "demo-upgrade-rpt",
"sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
"azp": "demo-upgrade-rpt"
}
Keycloak returns a 200 OK response including "upgraded": true in the body.
I was expecting a 403 forbidden response, it seems Keycloak just assess the
RPT's permissions, ignoring the ticket ones. Is this correct?