12:12 a.m.
Hi,
I am evaluating keycloak and trying out the following scenario:
The system has a resource
1. "Contact"
and two client roles
1. Admin
2. Trainee
The "Admin role" can create, view, edit and delete the "contact
resource"
The "Trainee Role" can create and view "contact resource"
Followed the following steps to setup the resource server:
1. Created a resource "Contact"
2. Created scopes "create, view, edit and delete"
3. Created role based policy with Admin Role - "Contact Admin Policy"
4. Created role based policy with Trainee Role - "Contact Trainee Policy"
4. Created Scope based permission "Contact Admin Permission" with all the
scopes (Create, View, Edit, Delete) and associated it the "contact Admin
policy"
5. Created Scope based permission "Contact Trainee Permission" with create
and view scopes and associated it with the "Contact Trainee Policy"
After this setup, using the following Authz client code, trying to display
the permission associated with the user
AuthzClient authzClient = AuthzClient.create();
String accessToken = authzClient.obtainAccessToken("UserName",
"UserPassword").getToken();
EntitlementResponse response =
authzClient.entitlement(accessToken).getAll("Client ID");
String rpt = response.getRpt();
TokenIntrospectionResponse requestingPartyToken =
authzClient.protection().introspectRequestingPartyToken(rpt);
System.out.println("Token status is: " + requestingPartyToken.getActive());
System.out.println("Permissions granted by the server: ");
for (Permission granted : requestingPartyToken.getPermissions()) {
System.out.println(granted);
}
For admin I get:
Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact,
scopes=[Contact:Edit, Contact:Delete]}
where as the expected is:
Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact,
scopes=[Contact:Create, Contact:View, Contact:Edit, Contact:Delete]}
For Trainee I get
- Nothing
where as the expected is:
Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact,
scopes=[Contact:Create, Contact:View]}
Would you please let me know what I am doing wrong or how to setup
resource server to get the expected output.
Thanks
-Chandran
4:15 a.m.
Found the solution. Attaching the new config JSON
On 28 January 2018 at 11:42, Chandran Soundrapandian <soundrachan(a)gmail.com>
wrote:
Hi,
I am evaluating keycloak and trying out the following scenario:
The system has a resource
1. "Contact"
and two client roles
1. Admin
2. Trainee
The "Admin role" can create, view, edit and delete the "contact
resource"
The "Trainee Role" can create and view "contact resource"
Followed the following steps to setup the resource server:
1. Created a resource "Contact"
2. Created scopes "create, view, edit and delete"
3. Created role based policy with Admin Role - "Contact Admin Policy"
4. Created role based policy with Trainee Role - "Contact Trainee Policy"
4. Created Scope based permission "Contact Admin Permission" with all the
scopes (Create, View, Edit, Delete) and associated it the "contact Admin
policy"
5. Created Scope based permission "Contact Trainee Permission" with create
and view scopes and associated it with the "Contact Trainee Policy"
After this setup, using the following Authz client code, trying to display
the permission associated with the user
AuthzClient authzClient = AuthzClient.create();
String accessToken = authzClient.obtainAccessToken("UserName",
"UserPassword").getToken();
EntitlementResponse response = authzClient.entitlement(accessToken).getAll("Client
ID");
String rpt = response.getRpt();
TokenIntrospectionResponse requestingPartyToken =
authzClient.protection().introspectRequestingPartyToken(rpt);
System.out.println("Token status is: " + requestingPartyToken.getActive());
System.out.println("Permissions granted by the server: ");
for (Permission granted : requestingPartyToken.getPermissions()) {
System.out.println(granted);
}
For admin I get:
Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact, scopes=[Contact:Edit,
Contact:Delete]}
where as the expected is:
Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact,
scopes=[Contact:Create, Contact:View, Contact:Edit, Contact:Delete]}
For Trainee I get
- Nothing
where as the expected is:
Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact,
scopes=[Contact:Create, Contact:View]}
Would you please let me know what I am doing wrong or how to setup resource server to get
the expected output.
Thanks
-Chandran
2537
days inactive
2537
days old
1 comments
1 participants
participants (1)
-
Chandran Soundrapandian