6:22 a.m.
On Sun, Jun 16, 2019 at 7:04 AM Ori Doolman <Ori.Doolman(a)cyberark.com>
wrote:
Pedo,
When I call the authz/resource-server/settings endpoint, I get the full
list of all entities.
That works great if I later want to update the settings using the
/authz/resource-server/import endpoint.
But /settings might become too big and I only want to update my
permissions (specific ones, actually).
Hence, I call the /policy endpoint.
But then I get partial entity information for the scope-based permission,
not similar to the one I get with /settings. The "config" object data is
missing.
1) Is that a bug? You can see below both payloads.
The settings endpoint is exporting the settings, basically. So that you
have a JSON that you can later import data back to your client.
The policy endpoint only returns the policy attributes so that any other
associated entity such as resources, scopes, and associated policies should
be obtained from another endpoint.
{id}/associatedPolicies
{id}/resources
{id}/scopes
2) Can I filter permissions by name contains "mySubstring"
? Seems that
/search does not support that but only exact name match by
/search?name="name"
You can use the "/" (root) endpoint. It is the one we use in the admin
console.
Here is /settings call:
"policies": [
{
"id": "a10db0d8-993a-4f34-9082-350033ed8dff",
"name": "set-03",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"set-01\"]",
"scopes":
"[\"read\",\"write\"]",
"applyPolicies": "[\"userPolicy\"]"
}
}
Here is what I get from /policy endpoint:
{
"id": "a10db0d8-993a-4f34-9082-350033ed8dff",
"name": "set-03",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
}
------------------------------
*From:* keycloak-user-bounces(a)lists.jboss.org <
keycloak-user-bounces(a)lists.jboss.org> on behalf of Ori Doolman <
Ori.Doolman(a)cyberark.com>
*Sent:* Thursday, June 6, 2019 4:22 PM
*To:* Pedro Igor Silva; Rafael Tovar.
*Cc:* keycloak-user
*Subject:* Re: [keycloak-user] authorizationSettings not in response
Great. I was looking for that as well. I don't think it is documented.
How do you manipulate the authorization entities by REST API?
For example, add a resource or a scope, modify policy etc.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <
keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Pedro Igor Silva
Sent: Thursday, June 6, 2019 3:43 PM
To: Rafael Tovar. <rafatov10(a)gmail.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] authorizationSettings not in response
Hi,
Please, append the following path to your URI: "
/authz/resource-server/settings".
Regards.
Pedro Igor
On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. <rafatov10(a)gmail.com> wrote:
> Hi everybody,
> I'm trying to get the authorization settings of a client, but its not
> coming in the response of the request.
> This is the request im doing:
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a
> uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51
> 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG
> Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp
> A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e=
>
> and this is the response:
>
> {
> "id": "c8e32bbc-72e6-4c30-827f-41ee51980433",
> "clientId": "api",
> "surrogateAuthRequired": false,
> "enabled": true,
> "clientAuthenticatorType": "client-secret",
> "redirectUris": [
> "*"
> ],
> "webOrigins": [],
> "notBefore": 0,
> "bearerOnly": false,
> "consentRequired": false,
> "standardFlowEnabled": true,
> "implicitFlowEnabled": false,
> "directAccessGrantsEnabled": true,
> "serviceAccountsEnabled": true,
> "authorizationServicesEnabled": true,
> "publicClient": false,
> "frontchannelLogout": false,
> "protocol": "openid-connect",
> "attributes": {
> "saml.assertion.signature": "false",
> "saml.force.post.binding": "false",
> "saml.multivalued.roles": "false",
> "saml.encrypt": "false",
> "saml.server.signature": "false",
> "saml.server.signature.keyinfo.ext": "false",
> "exclude.session.state.from.auth.response": "false",
> "saml_force_name_id_format": "false",
> "saml.client.signature": "false",
> "tls.client.certificate.bound.access.tokens": "false",
> "saml.authnstatement": "false",
> "display.on.consent.screen": "false",
> "saml.onetimeuse.condition": "false"
> },
> "authenticationFlowBindingOverrides": {},
> "fullScopeAllowed": true,
> "nodeReRegistrationTimeout": -1,
> "protocolMappers": [
> {
> "id": "97330e11-24df-40ce-9335-51d5126d4059",
> "name": "Client Host",
> "protocol": "openid-connect",
> "protocolMapper":
"oidc-usersessionmodel-note-mapper",
> "consentRequired": false,
> "config": {
> "user.session.note": "clientHost",
> "id.token.claim": "true",
> "access.token.claim": "true",
> "claim.name": "clientHost",
> "jsonType.label": "String"
> }
> },
> {
> "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041",
> "name": "Client ID",
> "protocol": "openid-connect",
> "protocolMapper":
"oidc-usersessionmodel-note-mapper",
> "consentRequired": false,
> "config": {
> "user.session.note": "clientId",
> "id.token.claim": "true",
> "access.token.claim": "true",
> "claim.name": "clientId",
> "jsonType.label": "String"
> }
> },
> {
> "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f",
> "name": "Client IP Address",
> "protocol": "openid-connect",
> "protocolMapper":
"oidc-usersessionmodel-note-mapper",
> "consentRequired": false,
> "config": {
> "user.session.note": "clientAddress",
> "id.token.claim": "true",
> "access.token.claim": "true",
> "claim.name": "clientAddress",
> "jsonType.label": "String"
> }
> }
> ],
> "defaultClientScopes": [
> "web-origins",
> "role_list",
> "profile",
> "roles",
> "email"
> ],
> "optionalClientScopes": [
> "address",
> "phone",
> "offline_access",
> "microprofile-jwt"
> ],
> "access": {
> "view": true,
> "configure": true,
> "manage": true
> }
> }
>
> Thanks,
> Rafael.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_
> QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb
> D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e=
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or
redistribute it by any means. Please delete it and any attachments and
notify the sender that you have received it in error.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...