Yes, exactly.
On Wed, Jul 4, 2018 at 3:08 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Actually, the permissions you got were related with
"scope:view". Could
you confirm ?
On Wed, Jul 4, 2018 at 9:55 AM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Yes it should. Will check this out.
>
>
> On Wed, Jul 4, 2018 at 9:31 AM, Corentin Dupont <
> corentin.dupont(a)gmail.com> wrote:
>
>> I have another weird behavior (with github HEAD).
>> When requesting a permission on a non existing resource, I still get a
>> token.
>> This token contains all the permissions.
>> Is it correct? Shouldn't it be 404 or something?
>>
>>
>> $ USERTOKEN=`curl -X POST -H "Content-Type:
>> application/x-www-form-urlencoded" -d
'username=xx&password=xx&grant
>> _type=password&client_id=api-server&client_secret=xxx' "
>>
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>> | jq .access_token -r`
>>
>> $ curl -X POST
http://localhost:8080/auth/rea
>> lms/waziup/protocol/openid-connect/token -H "Authorization: Bearer
>> $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>> uth:grant-type:uma-ticket&audience=api-server&permission=not
>> _exist#sensors:view"
>>
>> {"upgraded":false,"access_token":"eyJhbGciOiJSUzI......
>>
>>
>>
>>
>>
>> On Tue, Jul 3, 2018 at 5:00 PM, Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> It should be fixed now in master and available in next release.
>>>
https://github.com/keycloak/keycloak/pull/5346.
>>>
>>> Thanks !
>>>
>>> On Tue, Jul 3, 2018 at 10:39 AM, Corentin Dupont <
>>> corentin.dupont(a)gmail.com> wrote:
>>>
>>>> Yes, I see that this error happens when the resource does not exists.
>>>> However, with my user "guest", it happens all the time, even
when the
>>>> resource does exist...
>>>>
>>>> On Tue, Jul 3, 2018 at 2:15 PM, Pedro Igor Silva
<psilva(a)redhat.com>
>>>> wrote:
>>>>
>>>>> OK. Found the issue. Will fix it. Problem is that Sensortest does
not
>>>>> exist and program enters in a state that a resource-less permission
causes
>>>>> that error.
>>>>>
>>>>> On Mon, Jul 2, 2018 at 10:05 AM, Corentin Dupont <
>>>>> corentin.dupont(a)gmail.com> wrote:
>>>>>
>>>>>> Hi guys,
>>>>>> I got this error when requesting authorization on a resource:
>>>>>>
>>>>>> $ curl -X POST
>>>>>>
http://localhost:8080/auth/realms/waziup/protocol/openid-con
>>>>>> nect/token -H
>>>>>> "Authorization: Bearer $USERTOKEN" -d
>>>>>>
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>>>>> ence=api-server&permission=Sensortest#sensors:view"
>>>>>>
>>>>>>
{"error":"server_error","error_description":"Unexpected
error while
>>>>>> evaluating permissions"}
>>>>>>
>>>>>> On the server side I get:
>>>>>>
>>>>>> 12:42:11,821 ERROR
>>>>>>
[org.keycloak.authorization.authorization.AuthorizationTokenService]
>>>>>> (default task-16) Unexpected error while evaluating permissions:
>>>>>> java.lang.NullPointerException
>>>>>> at
>>>>>> org.keycloak.authorization.util.Permissions.permits(Permissi
>>>>>> ons.java:194)
>>>>>> at
>>>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>>>> ervice.authorize(AuthorizationTokenService.java:173)
>>>>>> at
>>>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissio
>>>>>> nGrant(TokenEndpoint.java:1124)
>>>>>> at
>>>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGr
>>>>>> antRequest(TokenEndpoint.java:190)
>>>>>> at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown
Source)
>>>>>> at
>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>>>> thodAccessorImpl.java:43)
>>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>
>>>>>>
>>>>>> I got my token this way:
>>>>>> USERTOKEN=`curl -X POST -H "Content-Type:
>>>>>> application/x-www-form-urlencoded" -d
>>>>>>
'username=guest&password=guest&grant_type=password&client_id
>>>>>> =api-server&client_secret=xxx'
>>>>>>
"http://localhost:8080/auth/realms/waziup/protocol/openid-co
>>>>>> nnect/token" |
>>>>>> jq .access_token -r`
>>>>>>
>>>>>> This seems to happen for scope-based policies.
>>>>>>
>>>>>> Cheers
>>>>>> Corentin
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>