[keycloak-user] API Authorization: on request or response?

Corentin Dupont corentin.dupont at gmail.com
Tue Nov 14 07:37:09 EST 2017 

Thanks, actually I saw it but I didn't understand where this bit came from:
aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==

On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> The problem here is that you got an access token (that you are using as a
> bearer to access Protection API) using resource owner password grant type
> (direct grant). That means the subject of the token is an user (username)
> and not the resource server itself.
>
> Only resource servers (your client application) are allowed to access the
> Protection API (and managed resources).
>
> The access token you got is valid to query for permissions though. As you
> want to obtain a set of permission an user has. Where the token represents
> user identity.
>
> You should fix that error by obtaining a access token for your client.
> Something like that (from docs):
>
> curl -X POST \
>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>     -H "Content-Type: application/x-www-form-urlencoded" \
>     -d 'grant_type=client_credentials' \
>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>
>
> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Thanks for the documentation, after reading it I found that I can use
>> "entitlement" endpoints for my use case.
>> So I do:
>>
>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>> -d 'username=username&password=password&grant_type=password&cli
>> ent_id=myclient&client_secret=myclientsecret' "
>> http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token"
>> | jq .access_token -r`
>>
>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>> Bearer $TOKEN" -d '{
>>     "permissions" : [
>>         {
>>             "resource_set_name" : "Houses",
>>             "scopes" : [
>>                 "view"
>>             ]
>>         }
>>     ]
>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>> /myclient"
>>
>> Is this correct? It seems to be working.
>> I am not sure how can I get/create resources via the API.
>> I tried:
>>
>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>> resource_set" -H "Authorization: Bearer $TOKEN"
>> But I get:
>> {"error":"invalid_clientId","error_description":"Client application with
>> id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm
>> [myrealm]"}
>>
>>
>>
>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi again,
>>> I looked everywhere but I couldn't find an Evaluation API for
>>> javascript...
>>> In my nodeJS server, should I call UMA API endpoints?
>>>
>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> It seems you are looking for fine-grained permissions. Could you take a
>>>> look at this example [1] and documentation [2] ?
>>>>
>>>> One of the things shown by that example is how to protect resources
>>>> based on its owner.
>>>>
>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>> s/authz/photoz
>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>> es/index.html
>>>>
>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>> another small question :)
>>>>>
>>>>> Suppose you have an API looking like this:
>>>>> http://www.example.com/api/v1/cars
>>>>>
>>>>> Cars have an owner:
>>>>> {
>>>>>   name: "my car"
>>>>>   owner: "smith"
>>>>> }
>>>>>
>>>>> How to make sure that you can only get cars that are yours (you can
>>>>> have
>>>>> several cars)?
>>>>> If you make a simple GET on this endpoint, should I:
>>>>> 1. just reply with a "Access denied" because the request is too large:
>>>>> it
>>>>> could yield cars that are not yours,
>>>>> 2. reply with "Access denied" if the response list contains some cars
>>>>> that
>>>>> are not yours,
>>>>> 3. filter the response car list with only yours?
>>>>>
>>>>> It seems that 1. is the simplest because it uses only the request to
>>>>> make
>>>>> decisions.
>>>>> 2. uses the response to make decision, while 3. requires the
>>>>> collaboration
>>>>> of the response handler in my API server, in order to implement the
>>>>> filtering.
>>>>> What is the most standard way?
>>>>>
>>>>> I have also some trouble understanding how to implement that with
>>>>> Keycloak
>>>>> protect in NodeJS.
>>>>> Cheers!!
>>>>> Corentin
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

More information about the keycloak-user mailing list