Re: [keycloak-user] API Authorization: on request or response?

Try this: curl -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'grant_type=client_credentials&client_id=myclient&client_secret= myclientsecret' "http://localhost:8080/auth/realms/${realm_name}/protocol/ openid-connect/token" Without BASIC but credentials as form parameters. On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont < corentin.dupont(a)gmail.com&gt; wrote: > Thanks, actually I saw it but I didn't understand where this bit came > from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA== > > On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva(a)redhat.com&gt; > wrote: > >> The problem here is that you got an access token (that you are using as >> a bearer to access Protection API) using resource owner password grant type >> (direct grant). That means the subject of the token is an user (username) >> and not the resource server itself. >> >> Only resource servers (your client application) are allowed to access >> the Protection API (and managed resources). >> >> The access token you got is valid to query for permissions though. As >> you want to obtain a set of permission an user has. Where the token >> represents user identity. >> >> You should fix that error by obtaining a access token for your client. >> Something like that (from docs): >> >> curl -X POST \ >> -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \ >> -H "Content-Type: application/x-www-form-urlencoded" \ >> -d 'grant_type=client_credentials' \ >> "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token" >> >> >> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont < >> corentin.dupont(a)gmail.com&gt; wrote: >> >>> Thanks for the documentation, after reading it I found that I can use >>> "entitlement" endpoints for my use case. >>> So I do: >>> >>> TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded" >>> -d 'username=username&password=password&grant_type=password&cli >>> ent_id=myclient&client_secret=myclientsecret' " >>> http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token&q... >>> | jq .access_token -r` >>> >>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>> Bearer $TOKEN" -d '{ >>> "permissions" : [ >>> { >>> "resource_set_name" : "Houses", >>> "scopes" : [ >>> "view" >>> ] >>> } >>> ] >>> }' "http://localhost:8080/auth/realms/myrealm/authz/entitlement >>> /myclient" >>> >>> Is this correct? It seems to be working. >>> I am not sure how can I get/create resources via the API. >>> I tried: >>> >>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/ >>> resource_set" -H "Authorization: Bearer $TOKEN" >>> But I get: >>> {"error":"invalid_clientId","error_description":"Client application >>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm >>> [myrealm]"} >>> >>> >>> >>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont < >>> corentin.dupont(a)gmail.com&gt; wrote: >>> >>>> Hi again, >>>> I looked everywhere but I couldn't find an Evaluation API for >>>> javascript... >>>> In my nodeJS server, should I call UMA API endpoints? >>>> >>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva(a)redhat.com&gt; >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> It seems you are looking for fine-grained permissions. Could you take >>>>> a look at this example [1] and documentation [2] ? >>>>> >>>>> One of the things shown by that example is how to protect resources >>>>> based on its owner. >>>>> >>>>> [1] https://github.com/keycloak/keycloak/tree/master/example >>>>> s/authz/photoz >>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic >>>>> es/index.html >>>>> >>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont < >>>>> corentin.dupont(a)gmail.com&gt; wrote: >>>>> >>>>>> Hi guys, >>>>>> another small question :) >>>>>> >>>>>> Suppose you have an API looking like this: >>>>>> http://www.example.com/api/v1/cars >>>>>> >>>>>> Cars have an owner: >>>>>> { >>>>>> name: "my car" >>>>>> owner: "smith" >>>>>> } >>>>>> >>>>>> How to make sure that you can only get cars that are yours (you can >>>>>> have >>>>>> several cars)? >>>>>> If you make a simple GET on this endpoint, should I: >>>>>> 1. just reply with a "Access denied" because the request is too >>>>>> large: it >>>>>> could yield cars that are not yours, >>>>>> 2. reply with "Access denied" if the response list contains some >>>>>> cars that >>>>>> are not yours, >>>>>> 3. filter the response car list with only yours? >>>>>> >>>>>> It seems that 1. is the simplest because it uses only the request to >>>>>> make >>>>>> decisions. >>>>>> 2. uses the response to make decision, while 3. requires the >>>>>> collaboration >>>>>> of the response handler in my API server, in order to implement the >>>>>> filtering. >>>>>> What is the most standard way? >>>>>> >>>>>> I have also some trouble understanding how to implement that with >>>>>> Keycloak >>>>>> protect in NodeJS. >>>>>> Cheers!! >>>>>> Corentin >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user(a)lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> >