On Thu, 16 Aug 2018 at 15:46, Pedro Igor Silva <psilva(a)redhat.com> wrote:
This seems to be a bug. I also tried here and I could reproduce the
issue
(after removing default client scopes email and profile from client). Would
you mind creating a JIRA, please ?
Regards.
On Wed, Aug 15, 2018 at 7:33 PM, Dmitry Pichugin <pdomsk(a)gmail.com> wrote:
> We do support. Could you elaborate more what you are trying to achieve ?
>
>
> Pedro, thank you for the answer! You are right.
>
> We tried to apply UMA for simple OAuth scenario "Client Credential flow"
> and it was a mistake. We only need to get access token, which contains
> scopes. Yes, it's work in KeyCloak.
>
> But we have another problem: when we tried to request an access token
> with scopes which are not been existed or not been assigned to the client,
> as a result, we received the access token with fill "scope" parameters.
>
> Request:
>
> curl -X "POST" -d
"client_id=testclient&client_secret=secret&grant_type=
> client_credentials&scope=unexisted_scope"
>
http://keykcloak_server:8080/auth/realms/master/protocol/openid-connect/t...
> <
http://10.44.32.19:8080/auth/realms/master/protocol/openid-connect/token>
>
> Response:
>
> {
> "access_token": "eyJhbG[...]1LQ",
> "token_type": "Bearer",
> "expires_in": 3600,
> *"scope": ""*
> }
>
> But, according to RFC 6749 The OAuth 2.0 Authorization Framework
> <
https://tools.ietf.org/html/rfc6749> point, we must get the error "
> invalid_scope".
>
> 4.1.4 <
https://tools.ietf.org/html/rfc6749#section-4.1.4>. Access Token
> Response
>
> If the access token request is valid and authorized, the
> authorization server issues an access token and optional refresh
> token as described in Section 5.1
<
https://tools.ietf.org/html/rfc6749#section-5.1>. If the request client
> authentication failed or is invalid, the authorization server returns
> an error response as described in Section 5.2
<
https://tools.ietf.org/html/rfc6749#section-5.2>.
>
>
> and point
>
>
> 5.2 <
https://tools.ietf.org/html/rfc6749#section-5.2>. Error Response
>
> *.....*
>
> invalid_scope
> The requested scope is invalid, unknown, malformed, or
> exceeds the scope granted by the resource owner.
>
>
>
> We tried to find something in client settings for fixing problem, but nothing to
find. Could you reply, is it a KeyCloak's error or we can't find some special
"setting" in the interface?
>
>
> Best regards. Dmitry Pichugin.
>
>
> On Wed, 15 Aug 2018 at 14:31, Pedro Igor Silva <psilva(a)redhat.com> wrote:
>
>> On Wed, Aug 15, 2018 at 7:35 AM, Dmitry Pichugin <pdomsk(a)gmail.com>
>> wrote:
>>
>>> Good day!
>>>
>>> We are using Keyclaok in our project, have installed version 4.2.1.
>>>
>>> Our task:
>>>
>>> - integration with API gateway and use KeyCloak for resources protect.
>>>
>>> We would be to use "Client Credentials Flow" from OAuth specs. But
>>> during
>>> version 4, KeyCloak does not support OAuth and is recommended to apply
>>> UMA
>>> 2.0.
>>>
>>
>> I'm not sure what you mean here. Where did you find this recommendation ?
>>
>>
>>>
>>> Yes, the differences between UMA and OAuth not huge, as a request and
>>> response(JWT token) formats, UMA has specific logic with RPT-token etc
>>> and
>>> UMA gives some advantages(we do not have the plan to use it).
>>>
>>
>> UMA is a standard mainly targeted for privacy (although there are other
>> benefits in using even if not for privacy), if you don't need users
>> managing their own resources, sharing, etc, yeah, you probably don't need
>> it. However, keep in mind that UMA support is one of the capabilities we
>> support in Keycloak Authorization Services, you can still use Keycloak to
>> enforce access to your protected resources using permissions
>> managed/granted by the server.
>>
>>
>>>
>>> We try to make a request in OAuth specs but got the error.
>>>
>>> Why does KeyCloak not support OAuth and UMA 2.0 same time? Do you have
>>> some
>>> specific reasons for this?
>>>
>>
>> We do support. Could you elaborate more what you are trying to achieve ?
>>
>>
>>>
>>> Thank you!
>>>
>>> Best regards. Dmitry Pichugin.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>