[keycloak-user] (no subject)
Corinne Krych
corinnekrych at gmail.com
Thu Oct 16 14:54:15 EDT 2014
I missed the “direct grants only OAuth client” mentioned in original mail.
Isn’t a direct grant oauth client as trusted as application?
++
Corinne
On 16 Oct 2014, at 20:04, Bill Burke <bburke at redhat.com> wrote:
> Applications are "trusted" in Keycloak and don't require the consent
> screen. So, I think we should allow roles to be updated on a request.
>
> On 10/16/2014 1:47 PM, Corinne Krych wrote:
>> Hello Alarik,
>>
>> Interesting use case, I would I thought like you that the newly
>> refreshed access token would contain the new role grant, but reading the
>> spec:
>> http://tools.ietf.org/html/rfc6749#section-1.5
>>
>> refresh tokens are issued to the client by the authorization server
>> and are
>> used to obtain a new access token when the current access token
>> becomes invalid or expires, or to obtain additional access tokens
>> *with identical or narrower scope* (access tokens may have a shorter
>> lifetime and fewer permissions than authorized by the resource
>> owner).
>>
>> Some how makes sense to have to approved the new grants.
>> I need to check how it behaves with OAuth2 providers like Google…
>>
>> ++
>> Corinne
>> ——————
>> AeroGear iOS team
>>
>> On 16 Oct 2014, at 19:17, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>>
>>>
>>> On 10/16/2014 12:50 PM, Alarik Myrin wrote:
>>>> I am having a strange situation, which might be arising from a bug in
>>>> Keycloak.
>>>>
>>>> I have a direct grants only OAuth client which makes invocations against
>>>> a bearer-only REST interface, running on Wildfly 8.0.0 Final with
>>>> Keycloak 1.0 final.
>>>>
>>>> A side effect of making one of the invocations is that the user is added
>>>> to a realm role. So far so good. The access token used to make that
>>>> invocation though does not contain the new realm role so he cannot, yet,
>>>> make invocations against another endpoint (call it endpoint B) without
>>>> getting a 403 Forbidden. This is expected.
>>>>
>>>> So, the client has to refresh the access token
>>>> (realms/{realm}/tokens/refresh), in order to get a new access token with
>>>> the realm role. The refresh goes OK, but when he tries to make
>>>> invocations against endpoint B, he still gets a 403 Forbidden.
>>>>
>>>
>>> Keycloak will only populate the refreshed token with the original
>>> granted roles. The idea is that there may have been consent involved
>>> and the user can't consent to any newly added roles.
>>>
>>> I guess we could change it in that if the client is an application and
>>> not an oauth client, it would get the new roles.
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20141016/073d8cb3/attachment.bin
More information about the keycloak-user
mailing list