I think so :)
That behavior would be awesome.
PS: I believe I'm failing so hard with the mail list, sorry about that.
2018-07-12 15:29 GMT+02:00 Pedro Igor Silva <psilva(a)redhat.com>:
I've replied to the original thread. Does it work for you ?
On Thu, Jul 12, 2018 at 3:41 AM, José Luis Colomer Martorell <
jose.colomer.martorell(a)tecsisa.com> wrote:
> Hello just to clarify the last question written by Francisco,
>
> i'm also having problems when upgrading the RPT when the requested
> resource
> is not authorized to the user.
>
>
> This is my current setup:
>
> Users:
>
> Just one user: foouser
>
> Resources:
>
> - foo-resource
> - bar-resource
>
> Policies:
>
> - foouser-policy: this policy grants access for only foouser.
>
>
> Permissions:
>
> - fooresource-foouser-permission: this permission associates the
>
> resource "foo-resource" with the policy "foouser-policy"
>
>
> I obtained the following valid RPT
>
> {
> >
> > "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
> >
> > "exp": 1531411894,
> >
> > "nbf": 0,
> >
> > "iat": 1531375932,
> >
> > "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
> >
> > "aud": "demo-upgrade-rpt",
> >
> > "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
> >
> > "typ": "Bearer",
> >
> > "azp": "auth-demo-webapp",
> >
> > "auth_time": 0,
> >
> > "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
> >
> > "acr": "1",
> >
> > "allowed-origins": [],
> >
> > "realm_access": {
> >
> > "roles": [
> >
> > "offline_access",
> >
> > "uma_authorization"
> >
> > ]
> >
> > },
> >
> > "resource_access": {
> >
> > "account": {
> >
> > "roles": [
> >
> > "manage-account",
> >
> > "view-profile"
> >
> > ]
> >
> > }
> >
> > },
> >
> > "authorization": {
> >
> > "permissions": [
> >
> > {
> >
> > "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
> >
> > "rsname": "foouser-resource"
> >
> > }
> >
> > ]
> >
> > },
> >
> > "scope": "profile email",
> >
> > "email_verified": false,
> >
> > "groups": [],
> >
> > "preferred_username": "foouser"
> >
> > }
> >
> >
> And I tried to upgrade it using a ticket for an unauthorized resource
> (bar-resource)
>
> {
> >
> > "resources": [
> >
> > {
> >
> > "id": "c73c3133-b987-4d1f-8195-544735d75433",
> >
> > "scopes": []
> >
> > }
> >
> > ],
> >
> > "jti":
"49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
> >
> > "exp": 1531411717,
> >
> > "nbf": 0,
> >
> > "iat": 1531375717,
> >
> > "aud": "demo-upgrade-rpt",
> >
> > "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
> >
> > "azp": "demo-upgrade-rpt"
> >
> > }
> >
> >
>
> Keycloak returns a 200 OK response including "upgraded": true in the
> body.
> I was expecting a 403 forbidden response, it seems Keycloak just assess
> the
> RPT's permissions, ignoring the ticket ones. Is this correct?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>