[keycloak-user] Keycloak is granting broader authorization entitlements to scopes on resources than specified
Pedro Igor Silva
psilva at redhat.com
Thu Mar 9 11:34:46 EST 2017
On Thu, Mar 9, 2017 at 11:58 AM, KLIMPFINGER Koloman <
Koloman.KLIMPFINGER at frequentis.com> wrote:
> Hi keycloak users!
>
> I've a question about using scope and resource permissions to protect my
> resources.
> To me it seems that keycloak is granting broader authorization
> entitlements than I specified it with the policies & permissions - a
> security issue from my point of view.
> For example keycloak - according to the entitlement token of a user -
> grants access to a resource and ALL its scopes, even if I only specified a
> permission to access only ONE scope on that resource for that user (with a
> policy).
> Is It wrong to assume that the user should only have access to the one
> scope?
Another issue is that keycloak grants access to a resource and ALL its
> scopes, even if I only specified a permission to access only that resource
> for that user (with a policy) without a scope.
> Is the assumption wrong that the user should only know about the resource
> but not the scopes?
>
> Or is my understanding of how to handle the authorization entitlements for
> resources and their scopes with keycloak wrong?
> What would be the best practice to secure the resources and their scopes?
>
You are correct. This is an issue with the Entitlement API and Scope-based
Permissions. Created https://issues.jboss.org/browse/KEYCLOAK-4555, sending
a fix shortly.
You should not see this happening if using Authorization API where
evaluation is performed on a per-resource/scope basis.
Will take a look on that repository (just perfect to understand what is
happening) you pointed out and check the results once I have the issue
fixed. Can you watch that JIRA for updates ?
>
> Here I describe the scenario & point to a live example:
>
> _ The scenario _
>
> Created Entities:
> User: Marta
> Policy: Policy-IsUser-Marta
> Scopes: read, write, execute
> Resource: resource-a (with all three scopes)
> Resource: resource-c (with all three scopes)
> Resource-Permission: resource-c -> Policy-IsUser-Marta
> Scope-Permission: resource-a + scope read -> Policy-IsUser-Marta
>
> Retrieve entitlements:
> Get your (Martas) entitlements token and check the granted permissions -
> they are:
>
> - resource-a -> read + write + execute
>
> - resource-c -> read + write + execute
>
> What I would expect:
>
> - resource-a -> read
>
> - resource-c -> (no scopes)
>
> _ Sample Project _
> I created a sample to see it live in action:
> https://github.com/kklimpfi/keycloak-scenarios
>
> It contains a keycloak-migration.json with some sample data (in master
> realm) + an java application that retrieves the Permissions.
> you can clone it and try it (configure setup script for importing and pass
> the system property for the java application to its configuration).
> (Using Keycloak-2.5.4.Final standalone on Windows 7, should also work on
> Linux)
>
> kind regards,
> Koloman
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list