11:35 a.m.
Hi,
me again on the same topic.
I’ve created a test realm called “test-realm” with a test client called “MyClient” and
turned that one into a resource server via HMI and allowed remote resource creation.
I tried to keep it simple for the test and created a ClientRepresentation instance with
one resource and on policy.
When I try to update the client using the Admin Client API
"/admin/realms/{realm}/clients/{id}"
In particular: /admin/realms/test-realm/clients/9d274eb7-e01e-4e6d-b9e9-eb384fa30170
The client object is transformed into the following JSON and sent to the Keycloak server
{
"name" : "MyClient",
"authorizationServicesEnabled" : true,
"authorizationSettings" : {
"allowRemoteResourceManagement" : true,
"policyEnforcementMode" : "ENFORCING",
"resources" : [ {
"name" : "ResourceName1",
"policies" : [ {
"id" : "PolicyId1",
"name" : "PolicyName1",
"logic" : "POSITIVE",
"decisionStrategy" : "AFFIRMATIVE",
"config" : { }
} ],
"_id" : "ResourceID1"
} ],
"policies" : [ {
"id" : "PolicyId1",
"name" : "PolicyName1",
"logic" : "POSITIVE",
"decisionStrategy" : "AFFIRMATIVE",
"config" : { }
} ],
"scopes" : [ ]
}
}
I receive a "400 Bad Request" response on the client side and on the server the
following exception is thrown (detailed stack trace below):
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field
"authorizationSettings"
I also tried remote debugging and indeed, this property of Client Representation is not in
the known properties list when Jackson tries to deserialize the JSON.
Am I using the correct API for providing the policy/resource information?
How can I make Jackson aware of the field “authorizationSettings”?
Any other suggestions for managing the resources remotely?
Kind regards,
Christian
2016-10-19 10:13:12,258 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-38)
RESTEASY002005: Failed executing PUT
/admin/realms/test-realm/clients/9d274eb7-e01e-4e6d-b9e9-eb384fa30170:
org.jboss.resteasy.spi.ReaderException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field
"authorizationSettings" (class
org.keycloak.representations.idm.ClientRepresentation), not marked as ignorable (36 known
properties: "enabled", "clientAuthenticatorType",
"redirectUris", "useTemplateConfig", "clientId",
"serviceAccountsEnabled", "authorizationServicesEnabled",
"name", "implicitFlowEnabled", "registeredNodes",
"nodeReRegistrationTimeout", "publicClient", "attributes",
"protocol", "webOrigins", "consentRequired",
"protocolMappers", "id", "baseUrl",
"surrogateAuthRequired", "adminUrl", "fullScopeAllowed",
"frontchannelLogout", "clientTemplate", "directGrantsOnly",
"rootUrl", "bearerOnly", "secret",
"useTemplateMappers", "notBefore", "useTemplateScope",
"standardFlowEnabled", "description", "defaultRoles",
"registrationAccessToken", "directAccessGrantsEnabled"])
at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@1f8c2096; line: 1, column:
84] (through reference chain:
org.keycloak.representations.idm.ClientRepresentation["authorizationSettings"])
at
org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
at
org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized
field "authorizationSettings" (class
org.keycloak.representations.idm.ClientRepresentation), not marked as ignorable (36 known
properties: "enabled", "clientAuthenticatorType",
"redirectUris", "useTemplateConfig", "clientId",
"serviceAccountsEnabled", "authorizationServicesEnabled",
"name", "implicitFlowEnabled", "registeredNodes",
"nodeReRegistrationTimeout", "publicClient", "attributes",
"protocol", "webOrigins", "consentRequired",
"protocolMappers", "id", "baseUrl",
"surrogateAuthRequired", "adminUrl", "fullScopeAllowed",
"frontchannelLogout", "clientTemplate", "directGrantsOnly",
"rootUrl", "bearerOnly", "secret",
"useTemplateMappers", "notBefore", "useTemplateScope",
"standardFlowEnabled", "description", "defaultRoles",
"registrationAccessToken", "directAccessGrantsEnabled"])
at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@1f8c2096; line: 1, column:
84] (through reference chain:
org.keycloak.representations.idm.ClientRepresentation["authorizationSettings"])
at
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:51)
at
com.fasterxml.jackson.databind.DeserializationContext.reportUnknownProperty(DeserializationContext.java:817)
at
com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:958)
at
com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1324)
at
com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownVanilla(BeanDeserializerBase.java:1302)
at
com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:249)
at
com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136)
at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410)
at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860)
at
org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61)
at
org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
at
org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
at
org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
at
org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
... 50 more
-----Original Message-----
From: FREIMUELLER Christian
Sent: 19 October 2016 08:27
To: 'Pedro Igor Craveiro e Silva'
Cc: keycloak-user(a)lists.jboss.org
Subject: RE: [keycloak-user] Keycloak AuthZ Client - Link resource/scope to
policy/permission via API
Thanks, Pedro for the information - that helped me a lot.
I will try to achieve this with the Admin Client API - I think you are referring to the
clients CRUD API, aren't you?
When is the improvement on the client API and REST API planned? -> the mentioned ticket
below is currently without a proposed fix version...
Kind regards,
Christian
-----Original Message-----
From: Pedro Igor Craveiro e Silva [mailto:psilva@redhat.com]
Sent: 18 October 2016 16:34
To: FREIMUELLER Christian; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak AuthZ Client - Link resource/scope to
policy/permission via API
Hi Christian.
Currently we don't support that, but we have KEYCLOAK-3135 [1] which I
think is related with what you are looking for.
Actually, you can already do that via Keycloak Admin Client API, but we
would like to come up with a better Client API and REST API for that.
Our roadmap includes not only URI protection, but also other uses cases
supported by UMA.
[1] https://issues.jboss.org/browse/KEYCLOAK-3135
On Tue, 2016-10-18 at 14:11 +0000, FREIMUELLER Christian wrote:
Dear all,
I've a question regarding the authZ client.
Is there a way to connect the resources created with the client with
policies/permissions via the API, or is there only the HMI (Admin
Console) to make this connection?
The thing is we would like to use Keycloak for defining the access
rights on thousands of resources (objects like database entries,
files) and it would be very cumbersome to do this by hand for each
single resource.
Or is this authorization service meant to be used in another way
(protecting URI for applications) only?
Best regards,
Christian
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Pedro Igor