I see. Just to make sure we are aligned. The changes I'm proposing are more
aligned with spec and provide:
* Only mark RPT as upgraded if ALL permissions granted by a previous RPT
were granted
* DENY authorization requests in case you are sending a previous issued RPT
and ANY additional permissions in a ticket are DENIED.
* Still keep current behavior where the server may grant additional
permissions even though you requested only a sub set of them. E.g.: You ask
for source "foo" + scope "a" and the server may grant resource
"foo" +
scope "a" and "b".
On Fri, Jul 13, 2018 at 5:17 AM, Francisco José Bermejo Herrera <
francisco.bermejo.herrera(a)tecsisa.com> wrote:
If Keycloak behavior is changed according to your proposal described
in
your previous message, then there shouldn't be any problem with authz
requests in our model.
It is true that the scopes described in our example are a bit misleading.
Think about something like READ and READ-PREMIUM instead, used at a GET
endpoint, and the Resource Server just checks whether one of these scopes
is contained in the RPT, returning a ticket with READ and READ-PREMIUM when
none of them has been provided. When the Client requests the new RPT by
using the ticket, Keycloak would return a RPT including either READ or
READ-PREMIUM, or 403 Forbidden.
As I said before, this is perfectly aligned with the new Keycloak behavior.
On jue, jul 12, 2018 at 7:35 , Pedro Igor Silva <psilva(a)redhat.com> wrote:
On Tue, Jul 10, 2018 at 6:22 AM, Francisco José Bermejo Herrera <
francisco.bermejo.herrera(a)tecsisa.com> wrote:
> Hello, we are testing Keycloak 4.1.0.Final for authentication and
> authorization (UMA 2.0 flow).
>
> Some assumptions:
>
> - The Resource Server owns the resource Foo, and protects it by using
> two scope-based permissions, one requiring READ scope, and the other
> one
> requiring WRITE scope.
> - User Alice has been granted READ scope for resource Foo.
> - We are not using Policy Enforcers. Enforcement will be implemented at
> the Resource Server.
>
> We are modeling the following flow:
>
> 1. The Requesting Party (Alice) requests access to resource Foo in the
> Resource Server. This request DOES NOT provide an RPT.
> 2. The Resource Server detects the absence of RPT, so it requests a
> Permission Ticket to Keycloak, for the Foo resource and both READ and
> WRITE
> scopes (providing a valid PAT).
> 3. Keycloak returns a valid Permission Ticket to the Resource Server.
> 4. The Resource Server returns the Permission Ticket (including
> Keycloak
> token URI (http://${host}:${port}/auth/realms/${realm}/protocol/openid
> -connect/token)
> at WWW-Authorization header) with status code 401 to the Requesting
> Party.
> 5. The Requesting Party sends the Permission Ticket (for the Foo
> resource and both READ and WRITE scopes) to Keycloak, in order to get a
> valid RPT.
>
> Here is where things start to get confusing. We expected that Keycloak
> would reject the authorization request due to failed permission evaluation
> (Alice has READ scope for resource Foo, but DOES NOT have WRITE scope).
> Nevertheless, Keycloak returns a valid RPT, granting permission for
> resource Foo (just for READ scope).
>
> We are aware that this behavior is UMA 2.0 compliant
> <
https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.
> html#rfc.section.3.6.4>
> :
>
> > If the value is non-null and CandidateGrantedScopes < RequestedScopes,
> the
> > authorization server MUST subsequently issue either an RPT containing
> > CandidateGrantedScopes (upgrading as appropriate; see below), or one of
> the
> > error codes. The reason for the two options is that granting only
> partial
> > scopes may not be useful for the client's and requesting party's
> purposes
> > in seeking authorization for access.
>
>
> But as the RFC explicitly points out, this behavior may not be useful for
> the client. We think that the RFC is right, because this renders the
> client
> unable to tell whether the authorization has been partially or completely
> fulfilled. And consequently the Resource Server will request again a
> Permission Ticket for the Foo resource and both READ and WRITE scopes, so
> the whole flow will be repeated over and over again. If this is Keycloak
> expected behavior, how can we avoid the infinite loops?
>
For this particular case, each scope is associated with a specific HTTP
method ? Can't you obtain tickets accordingly including only the scopes you
need ?
As you noticed, by default, Keycloak issues a RPT for any resource/scope
you sent along with an authorization request. Resource servers (or clients
sending authz requests directly without ticket) should be able to ask only
for specific resources/scopes.
>
> Another question is, when providing a valid RPT along with a Permission
> Ticket, why Keycloak deems an RPT as upgraded = true even when the
> requested resource has not been authorized? It returns the same RPT with
> just jti, exp and iat updated. Since we think that the Authorization
> Server
> must be the one stopping the UMA flow, should not Keycloak return a 403
> Forbidden instead? Is this behavior configurable in any way?
>
> Thank you in advance!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>