Hi Paul,
Here's the method responsible for consent / offline token revocation:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
This can be further traced to
o.k.services.resources.admin.permissions.UserPermissions::canManage(UserModel):
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
Long story short: currently, consents / offline tokens can be revoked
only by those allowed to manage all the users in the realm (either via
"admin" role membership or Realm > Users > Permissions) or by those
allowed to manage users in a particular group (Realm > Groups > (group)
Permissions). That means, a user is not allowed to revoke his/her own
consents and offline tokens. This looks like a bug to me, but let's see
what the Keycloak devs say.
Also, looking through the REST API documentation, I didn't see
anything related to roles and authorization. Are all operations only
accessible by users with the admin role assigned?
Not necessarily so; unfortunately, this topic is mostly undocumented,
so the only reliable way is to look into the sources (something we've
just done for consent revocation).
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Fri, 2018-07-20 at 15:47 -0400, Paul Grebenc wrote:
I have been doing some investigation with Keycloak 3.4.3.Final, and
have
noticed something that I am wondering about.
It is possible for me to request an offline token for a given user with a
password grant, and that consent will show up for the user under the user's
Consents tab in the admin console.
In terms of managing any granted consents (for the purpose of allowing a
user to revoke a consent that they have granted), I have been able to do
the following:
curl -X GET -H "Authorization: Bearer <authToken>"
http://localhost:8080/auth/admin/realms/master/users/<userId>/consents
<
http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b...
This returns all current consents granted by the user. I can then also do
the following:
curl -X DELETE -H "Authorization: Bearer <authToken>"
http://localhost:8080/auth/admin/realms/master/users/<userId>/conse...;
<
http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b...
This revokes the consent granted by the specified user for the specified
client.
This is good so far, but I noticed that I was only authorized to perform
these operations as admin, and not as the user in question who has granted
these consents. Through experimentation, I was able to determine that if I
add the role "admin" to the user, that user is then authorized for these
operations.
Is this intentional? It was originally my expectation that a user who has
granted consents should be able to view or revoke their own consents
without having to have the admin role assigned.
Also, looking through the REST API documentation, I didn't see anything
related to roles and authorization. Are all operations only accessible by
users with the admin role assigned?
Regards,
Paul
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user