[keycloak-dev] FYI: can't use token to auth admin console

Stian Thorgersen stian at redhat.com
Fri May 23 11:25:12 EDT 2014



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 23 May, 2014 4:19:06 PM
> Subject: Re: [keycloak-dev] FYI: can't use token to auth admin console
> 
> The client's scope can't be modified by the client unless the user has
> granted permission for the client to modify its scope.  In the case of
> realm creation, if the client has the "admin" scope, then because
> "admin" is a composite role, the user has already granted the client
> "admin" permission.

There's two things that needs to happen, first admin has to add the scope for the client. Second the user has to grant permissions to it as well, which is the step that would be bypassed.


> 
> 
> On 5/23/2014 11:09 AM, Stian Thorgersen wrote:
> > That still doesn't ask the user to give the client permissions though.
> >
> > Maybe it should use the roles from the token for clients, but for
> > applications the model as you propose?
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Friday, 23 May, 2014 4:03:13 PM
> >> Subject: Re: [keycloak-dev] FYI: can't use token to auth admin console
> >>
> >> I will do:
> >>
> >> boolean authorized = realm.hasRole(user, role) && realm.hasScope(client,
> >> role);
> >>
> >>
> >>
> >> On 5/23/2014 11:00 AM, Stian Thorgersen wrote:
> >>> What about clients? You're then giving additional permissions to a client
> >>> that the user hasn't granted.
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>> Cc: keycloak-dev at lists.jboss.org
> >>>> Sent: Friday, 23 May, 2014 3:51:31 PM
> >>>> Subject: Re: [keycloak-dev] FYI: can't use token to auth admin console
> >>>>
> >>>> Our user-agent might not be a browser.
> >>>>
> >>>> On 5/23/2014 10:48 AM, Stian Thorgersen wrote:
> >>>>> Why not just do a window.reload(), which will redirect to login screen
> >>>>> and
> >>>>> get a new token with the new roles?
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>> To: keycloak-dev at lists.jboss.org
> >>>>>> Sent: Friday, 23 May, 2014 3:46:08 PM
> >>>>>> Subject: [keycloak-dev] FYI: can't use token to auth admin console
> >>>>>>
> >>>>>> Too much kid stuff lately!  Sorry I haven't been productive past 2
> >>>>>> days...But...
> >>>>>>
> >>>>>> FYI: We can't use role mapping information in access token to
> >>>>>> authorize
> >>>>>> admin console access.  This is because users may be creating new
> >>>>>> realms
> >>>>>> which will update their role mappings on the fly with the new admin
> >>>>>> roles created for that new realm.
> >>>>>>
> >>>>>> What will happen is that the client id will be extracted from token
> >>>>>> and
> >>>>>> authorization based on client scope and user role mappings will be
> >>>>>> done
> >>>>>> dynamically.
> >>>>>>
> >>>>>> --
> >>>>>> Bill Burke
> >>>>>> JBoss, a division of Red Hat
> >>>>>> http://bill.burkecentral.com
> >>>>>> _______________________________________________
> >>>>>> keycloak-dev mailing list
> >>>>>> keycloak-dev at lists.jboss.org
> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>>>
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list