[keycloak-user] API Authorization: on request or response?

Pedro Igor Silva psilva at redhat.com
Tue Nov 14 07:44:55 EST 2017


Btw. I should probably change documentation to reflect this. Thanks for the
feedback.

On Tue, Nov 14, 2017 at 10:44 AM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> Try this:
>
> curl -X POST \
>     -H "Content-Type: application/x-www-form-urlencoded" \
>     -d 'grant_type=client_credentials&client_id=myclient&client_secret=
> myclientsecret'
>     "http://localhost:8080/auth/realms/${realm_name}/protocol/
> openid-connect/token"
>
> Without BASIC but credentials as form parameters.
>
> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Thanks, actually I saw it but I didn't understand where this bit came
>> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>
>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> The problem here is that you got an access token (that you are using as
>>> a bearer to access Protection API) using resource owner password grant type
>>> (direct grant). That means the subject of the token is an user (username)
>>> and not the resource server itself.
>>>
>>> Only resource servers (your client application) are allowed to access
>>> the Protection API (and managed resources).
>>>
>>> The access token you got is valid to query for permissions though. As
>>> you want to obtain a set of permission an user has. Where the token
>>> represents user identity.
>>>
>>> You should fix that error by obtaining a access token for your client.
>>> Something like that (from docs):
>>>
>>> curl -X POST \
>>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>>     -d 'grant_type=client_credentials' \
>>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>
>>>
>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Thanks for the documentation, after reading it I found that I can use
>>>> "entitlement" endpoints for my use case.
>>>> So I do:
>>>>
>>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>>>> -d 'username=username&password=password&grant_type=password&cli
>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token"
>>>> | jq .access_token -r`
>>>>
>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>> Bearer $TOKEN" -d '{
>>>>     "permissions" : [
>>>>         {
>>>>             "resource_set_name" : "Houses",
>>>>             "scopes" : [
>>>>                 "view"
>>>>             ]
>>>>         }
>>>>     ]
>>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>> /myclient"
>>>>
>>>> Is this correct? It seems to be working.
>>>> I am not sure how can I get/create resources via the API.
>>>> I tried:
>>>>
>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>> But I get:
>>>> {"error":"invalid_clientId","error_description":"Client application
>>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm
>>>> [myrealm]"}
>>>>
>>>>
>>>>
>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi again,
>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>> javascript...
>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>
>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> It seems you are looking for fine-grained permissions. Could you take
>>>>>> a look at this example [1] and documentation [2] ?
>>>>>>
>>>>>> One of the things shown by that example is how to protect resources
>>>>>> based on its owner.
>>>>>>
>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>> s/authz/photoz
>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>> es/index.html
>>>>>>
>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi guys,
>>>>>>> another small question :)
>>>>>>>
>>>>>>> Suppose you have an API looking like this:
>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>
>>>>>>> Cars have an owner:
>>>>>>> {
>>>>>>>   name: "my car"
>>>>>>>   owner: "smith"
>>>>>>> }
>>>>>>>
>>>>>>> How to make sure that you can only get cars that are yours (you can
>>>>>>> have
>>>>>>> several cars)?
>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>>> large: it
>>>>>>> could yield cars that are not yours,
>>>>>>> 2. reply with "Access denied" if the response list contains some
>>>>>>> cars that
>>>>>>> are not yours,
>>>>>>> 3. filter the response car list with only yours?
>>>>>>>
>>>>>>> It seems that 1. is the simplest because it uses only the request to
>>>>>>> make
>>>>>>> decisions.
>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>> collaboration
>>>>>>> of the response handler in my API server, in order to implement the
>>>>>>> filtering.
>>>>>>> What is the most standard way?
>>>>>>>
>>>>>>> I have also some trouble understanding how to implement that with
>>>>>>> Keycloak
>>>>>>> protect in NodeJS.
>>>>>>> Cheers!!
>>>>>>> Corentin
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


More information about the keycloak-user mailing list