Re: [keycloak-user] Questions about Keycloak UMA 2.0 implementation

Thursday, 12 July 2018

I've replied to the original thread. Does it work for you ?

On Thu, Jul 12, 2018 at 3:41 AM, José Luis Colomer Martorell <
jose.colomer.martorell(a)tecsisa.com&gt; wrote:

...
 Hello just to clarify the last question written by Francisco,

 i'm also having problems when upgrading the RPT when the requested resource
 is not authorized to the user.

 This is my current setup:

 Users:

 Just one user: foouser

 Resources:

    - foo-resource
    - bar-resource

 Policies:

    - foouser-policy: this policy grants access for only foouser.

 Permissions:

    - fooresource-foouser-permission: this permission associates the
    resource "foo-resource" with the policy "foouser-policy"

 I obtained the following valid RPT

 {
 >
 >   "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
 >
 >   "exp": 1531411894,
 >
 >   "nbf": 0,
 >
 >   "iat": 1531375932,
 >
 >   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
 >
 >   "aud": "demo-upgrade-rpt",
 >
 >   "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
 >
 >   "typ": "Bearer",
 >
 >   "azp": "auth-demo-webapp",
 >
 >   "auth_time": 0,
 >
 >   "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
 >
 >   "acr": "1",
 >
 >   "allowed-origins": [],
 >
 >   "realm_access": {
 >
 >     "roles": [
 >
 >       "offline_access",
 >
 >       "uma_authorization"
 >
 >     ]
 >
 >   },
 >
 >   "resource_access": {
 >
 >     "account": {
 >
 >       "roles": [
 >
 >         "manage-account",
 >
 >         "view-profile"
 >
 >       ]
 >
 >     }
 >
 >   },
 >
 >   "authorization": {
 >
 >     "permissions": [
 >
 >       {
 >
 >         "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
 >
 >         "rsname": "foouser-resource"
 >
 >       }
 >
 >     ]
 >
 >   },
 >
 >   "scope": "profile email",
 >
 >   "email_verified": false,
 >
 >   "groups": [],
 >
 >   "preferred_username": "foouser"
 >
 > }
 >
 >
 And I tried to upgrade it using a ticket for an unauthorized resource
 (bar-resource)

 {
 >
 >   "resources": [
 >
 >     {
 >
 >       "id": "c73c3133-b987-4d1f-8195-544735d75433",
 >
 >       "scopes": []
 >
 >     }
 >
 >   ],
 >
 >   "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
 >
 >   "exp": 1531411717,
 >
 >   "nbf": 0,
 >
 >   "iat": 1531375717,
 >
 >   "aud": "demo-upgrade-rpt",
 >
 >   "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
 >
 >   "azp": "demo-upgrade-rpt"
 >
 > }
 >
 >

  Keycloak returns a 200 OK response including "upgraded": true in the body.
 I was expecting a 403 forbidden response, it seems Keycloak just assess the
 RPT's permissions, ignoring the ticket ones. Is this correct?
 _______________________________________________
 keycloak-user mailing list
 keycloak-user(a)lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] Questions about Keycloak UMA 2.0 implementation