Hello.
Keycloak 6.0.1 and 7
Can anyone help me with understanding of evaluating RPT?
Scenario:
2 Realm Roles - RoleA and RoleB
1 user with both realm roles
2 clients:
clientA public (or confidential) with Scope=RoleA
clientB confidential and Authorization-Enabled with Scope=RoleA,RoleB
When I go to clientB
Authorization-Evaluate
set Client = clientA
set User = user
choose Any resource with scope(s) Any scope.
and see:
{
"jti": "7692f97f-3907-4e1b-a784-663c52f33bc7",
"exp": 1567062109,
"nbf": 0,
"iat": 1567061809,
"aud": "clientB",
"sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607",
"typ": "Bearer",
"azp": "clientA",
"auth_time": 0,
"session_state": "ff2e581c-0663-4b8c-9332-629b02c02729",
"acr": "1",
"realm_access": {
"roles": [
"RoleA"
]
},
"authorization": {
"permissions": [
{
"rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139",
"rsname": "Default Resource"
}
]
},
"scope": "email profile",
"email_verified": false,
"preferred_username": "user"
}
here I see that I have only RoleA (that is correct - I'm going through
clientA)
But when I make requests:
curl -d 'client_id=clientA' -d 'username=user' -d 'password=1' -d
'grant_type=password' '
http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token'
grab access-token and
curl -X POST \
http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token \
-H "Authorization: Bearer access-token-from-first-curl" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=clientB"
I get different jwt:
{
"jti": "f956218e-abcf-4017-a6b2-d9c3c82692a2",
"exp": 1567062641,
"nbf": 0,
"iat": 1567062341,
"iss": "http://localhost:8280/auth/realms/TestRPT",
"aud": "clientB",
"sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607",
"typ": "Bearer",
"azp": "clientA",
"auth_time": 0,
"session_state": "4d556dd0-4d27-4028-ac1d-54afd2e1f20e",
"acr": "1",
"realm_access": {
"roles": [
"RoleB",
"RoleA"
]
},
"authorization": {
"permissions": [
{
"rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139",
"rsname": "Default Resource"
}
]
},
"scope": "email profile",
"email_verified": false,
"preferred_username": "user"
}
Why "RoleB" is in RPT? Do I understand documentation wrong? Wrong RPT
request?
Our main target is: when user goes through clientA to clientB, clientB
should receive only those roles that the user has in clientA. We have many
applications-clients and we want to limit some of them. How can we achieve
this?
Thanks in advance.
Alexey Makarevich.