On Tue, Jul 10, 2018 at 10:31 AM, Corentin Dupont <corentin.dupont(a)gmail.com
wrote:
Hi guys,
I noticed a couple of strange things when retrieving all the permissions.
I tried:
$ curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-
connect/token -H "Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
audience=api-server"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq
"authorization": {
"permissions": [
...
But it seems that this command returns only the permissions for the
resources belonging to the client, excluding resource belonging to other
users?
When obtaining all entitlenents for an user, only resources owned by the
resource server, by the user and shares (via ticket or via account service)
are processed.
To get an assessment of all resources, I tried adding a scope:
$ curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-
connect/token -H "Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
audience=api-server&permission=#sensors:view"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq
"authorization": {
"permissions": [
{
"rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
"rsname": "foo"
This instead returns a list of resources belonging to all users.
But the list seems to be wrong: it returns sensors to which I *don't* have
access!
If I try the request on the specific resource, it returns (rightfully)
access_denied:
I tried to do a simple test based on a previous realm configuration you
sent. Could not reproduce the problem.
curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
audience=api-server&permission=
9e24320d-ef89-440b-b6d5-d7b5a4896f60#sensors:view"
{"error":"access_denied","error_description":"not_authorized"}
Another strange thing, if I try with a non-existent resource ID, there is
no error message and it returns a list of permissions:
$ curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
audience=api-server&permission=not-exist#sensors:view"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq
"authorization": {
"permissions": [
{
"rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
"rsname": "foo"
...
I think you reported ths already. Here is the PR
https://github.com/keycloak/keycloak/pull/5357.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user