Thanks for the answer Pedro.
I understand what you wrote, but I think this poses a difficulty for the API users (such
as myself 😊 ).
I want to look for all permissions related to some resource.
Now, instead of selecting all permissions and in my app iterate and filter according to
the resource, I have two bad-performance solutions:
1. Use the /settings endpoint and get too much data, including many entities I don’t
need.
2. Get all permissions, and then one by one call the {id}/resources. And then call the
other endpoints if I also need scopes and associatedPolicies.
I don’t understand why the /policies cannot return the full permission entity with the
{config} object. It would be the straightforward thing to do.
Thanks,
Ori.
From: Pedro Igor Silva <psilva(a)redhat.com>
Sent: Tuesday, June 18, 2019 2:23 PM
To: Ori Doolman <Ori.Doolman(a)cyberark.com>
Cc: Rafael Tovar. <rafatov10(a)gmail.com>; keycloak-user
<keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] authorizationSettings not in response
On Sun, Jun 16, 2019 at 7:04 AM Ori Doolman
<Ori.Doolman@cyberark.com<mailto:Ori.Doolman@cyberark.com>> wrote:
Pedo,
When I call the authz/resource-server/settings endpoint, I get the full list of all
entities.
That works great if I later want to update the settings using the
/authz/resource-server/import endpoint.
But /settings might become too big and I only want to update my permissions (specific
ones, actually).
Hence, I call the /policy endpoint.
But then I get partial entity information for the scope-based permission, not similar to
the one I get with /settings. The "config" object data is missing.
1) Is that a bug? You can see below both payloads.
The settings endpoint is exporting the settings, basically. So that you have a JSON that
you can later import data back to your client.
The policy endpoint only returns the policy attributes so that any other associated entity
such as resources, scopes, and associated policies should be obtained from another
endpoint.
{id}/associatedPolicies
{id}/resources
{id}/scopes
2) Can I filter permissions by name contains "mySubstring" ? Seems that /search
does not support that but only exact name match by /search?name="name"
You can use the "/" (root) endpoint. It is the one we use in the admin
console.
Here is /settings call:
"policies": [
{
"id": "a10db0d8-993a-4f34-9082-350033ed8dff",
"name": "set-03",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"set-01\"]",
"scopes":
"[\"read\",\"write\"]",
"applyPolicies": "[\"userPolicy\"]"
}
}
Here is what I get from /policy endpoint:
{
"id": "a10db0d8-993a-4f34-9082-350033ed8dff",
"name": "set-03",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
}
________________________________
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>
<keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
on behalf of Ori Doolman
<Ori.Doolman@cyberark.com<mailto:Ori.Doolman@cyberark.com>>
Sent: Thursday, June 6, 2019 4:22 PM
To: Pedro Igor Silva; Rafael Tovar.
Cc: keycloak-user
Subject: Re: [keycloak-user] authorizationSettings not in response
Great. I was looking for that as well. I don't think it is documented.
How do you manipulate the authorization entities by REST API?
For example, add a resource or a scope, modify policy etc.
-----Original Message-----
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>
<keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
On Behalf Of Pedro Igor Silva
Sent: Thursday, June 6, 2019 3:43 PM
To: Rafael Tovar. <rafatov10@gmail.com<mailto:rafatov10@gmail.com>>
Cc: keycloak-user
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] authorizationSettings not in response
Hi,
Please, append the following path to your URI: "
/authz/resource-server/settings".
Regards.
Pedro Igor
On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar.
<rafatov10@gmail.com<mailto:rafatov10@gmail.com>> wrote:
Hi everybody,
I'm trying to get the authorization settings of a client, but its not
coming in the response of the request.
This is the request im doing:
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a
uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51
980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG
Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp
A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e=
and this is the response:
{
"id": "c8e32bbc-72e6-4c30-827f-41ee51980433",
"clientId": "api",
"surrogateAuthRequired": false,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"*"
],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"authorizationServicesEnabled": true,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"id": "97330e11-24df-40ce-9335-51d5126d4059",
"name": "Client Host",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientHost",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name<https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>":
"clientHost",
"jsonType.label": "String"
}
},
{
"id": "9e45c71d-63f9-4d15-a3b2-e8064a569041",
"name": "Client ID",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientId",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name<https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>":
"clientId",
"jsonType.label": "String"
}
},
{
"id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f",
"name": "Client IP Address",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientAddress",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name<https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>":
"clientAddress",
"jsonType.label": "String"
}
}
],
"defaultClientScopes": [
"web-origins",
"role_list",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}
Thanks,
Rafael.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_
QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb
D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e=
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise
protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it
by any means. Please delete it and any attachments and notify the sender that you have
received it in error.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...