On Tue, Jul 10, 2018 at 5:32 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
On Tue, Jul 10, 2018 at 10:31 AM, Corentin Dupont <
corentin.dupont(a)gmail.com> wrote:
> Hi guys,
> I noticed a couple of strange things when retrieving all the permissions.
> I tried:
>
> $ curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-
> connect/token
> <
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token>
> -H "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
> ence=api-server"
> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>
> "authorization": {
> "permissions": [
> ...
>
> But it seems that this command returns only the permissions for the
> resources belonging to the client, excluding resource belonging to other
> users?
>
When obtaining all entitlenents for an user, only resources owned by the
resource server, by the user and shares (via ticket or via account service)
are processed.
OK, I understand. My use case is to protects an endpoint such as "GET
/resources" that returns a bunch of resources.
So if I understand I have to include multiple resource/scope in the same
request (I thought a generic call would suffice).
BTW, is there a possibility to use JSON in the request, instead of form
data? i.e.
-d {"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
"audience":
"api-server" ...}
> To get an assessment of all resources, I tried adding a scope:
>
> $ curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-
> connect/token
> <
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token>
> -H "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
> ence=api-server&permission=#sensors:view"
> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>
> "authorization": {
> "permissions": [
> {
> "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
> "rsname": "foo"
>
> This instead returns a list of resources belonging to all users.
> But the list seems to be wrong: it returns sensors to which I *don't* have
> access!
> If I try the request on the specific resource, it returns (rightfully)
> access_denied:
>
I tried to do a simple test based on a previous realm configuration you
sent. Could not reproduce the problem.
>
> curl -X POST
>
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
> ence=api-server&permission=
> 9e24320d-ef89-440b-b6d5-d7b5a4896f60#sensors:view"
>
{"error":"access_denied","error_description":"not_authorized"}
>
> Another strange thing, if I try with a non-existent resource ID, there is
> no error message and it returns a list of permissions:
>
> $ curl -X POST
>
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
> ence=api-server&permission=not-exist#sensors:view"
> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>
> "authorization": {
> "permissions": [
> {
> "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
> "rsname": "foo"
> ...
>
I think you reported ths already. Here is the PR
https://github.com/
keycloak/keycloak/pull/5357.
Yes, I thought it was already in HEAD, but I see it's not merged (sorry).
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>