[keycloak-user] API Authorization: on request or response?
Corentin Dupont
corentin.dupont at gmail.com
Tue Nov 14 08:13:29 EST 2017
This works great, thanks.
TOKEN=`curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'grant_type=client_credentials&client_id=myclient&client_secret=
myclientsecret'
"http://localhost:8080/auth/realms/${realm_name}/protocol/
openid-connect/token" | jq .access_token -r`
Then I do:
$ curl "
http://localhost:8080/auth/realms/myrealm/authz/protection/resource_set" -H
"Authorization: Bearer $TOKEN"
["037f5d3e-8f25-4af1-93a0-4e17455d0614"]
$ curl "
http://localhost:8080/auth/realms/myrealm/authz/protection/resource_set/
037f5d3e-8f25-4af1-93a0-4e17455d0614" -H "Authorization: Bearer $TOKEN"
{
"name": "Sensors",
"uri": "/sensors/*",
"type": "http://localhost:3000/sensors",
"scopes": [
{
"id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
"name": "view"
},
{
"id": "2615157c-f588-4e2b-ba1c-720fe8394215",
"name": "manage"
}
],
"owner": "0892e431-5daf-413e-b4cf-eaee121ee447",
"_id": "037f5d3e-8f25-4af1-93a0-4e17455d0614",
"id": "037f5d3e-8f25-4af1-93a0-4e17455d0614"
}
Next I tried to POST a new resource:
curl -X POST "
http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H
"Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{
"name": "My house",
"uri": "/houses/123",
"scopes": [
{
"id": "da776461-c1f5-4904-a559-1ca04d9f53a9",
"name": "view"
},
{
"id": "2615157c-f588-4e2b-ba1c-720fe8394215",
"name": "manage"
}
],
"owner": "0892e431-5daf-413e-b4cf-eaee121ee447"
}'
Everything seems OK.
On Tue, Nov 14, 2017 at 1:44 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
> Try this:
>
> curl -X POST \
> -H "Content-Type: application/x-www-form-urlencoded" \
> -d 'grant_type=client_credentials&client_id=myclient&client_secret=
> myclientsecret'
> "http://localhost:8080/auth/realms/${realm_name}/protocol/
> openid-connect/token"
>
> Without BASIC but credentials as form parameters.
>
> On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Thanks, actually I saw it but I didn't understand where this bit came
>> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>
>> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> The problem here is that you got an access token (that you are using as
>>> a bearer to access Protection API) using resource owner password grant type
>>> (direct grant). That means the subject of the token is an user (username)
>>> and not the resource server itself.
>>>
>>> Only resource servers (your client application) are allowed to access
>>> the Protection API (and managed resources).
>>>
>>> The access token you got is valid to query for permissions though. As
>>> you want to obtain a set of permission an user has. Where the token
>>> represents user identity.
>>>
>>> You should fix that error by obtaining a access token for your client.
>>> Something like that (from docs):
>>>
>>> curl -X POST \
>>> -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
>>> -H "Content-Type: application/x-www-form-urlencoded" \
>>> -d 'grant_type=client_credentials' \
>>> "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
>>>
>>>
>>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Thanks for the documentation, after reading it I found that I can use
>>>> "entitlement" endpoints for my use case.
>>>> So I do:
>>>>
>>>> TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
>>>> -d 'username=username&password=password&grant_type=password&cli
>>>> ent_id=myclient&client_secret=myclientsecret' "
>>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token"
>>>> | jq .access_token -r`
>>>>
>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>> Bearer $TOKEN" -d '{
>>>> "permissions" : [
>>>> {
>>>> "resource_set_name" : "Houses",
>>>> "scopes" : [
>>>> "view"
>>>> ]
>>>> }
>>>> ]
>>>> }' "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>>> /myclient"
>>>>
>>>> Is this correct? It seems to be working.
>>>> I am not sure how can I get/create resources via the API.
>>>> I tried:
>>>>
>>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>>> But I get:
>>>> {"error":"invalid_clientId","error_description":"Client application
>>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm
>>>> [myrealm]"}
>>>>
>>>>
>>>>
>>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi again,
>>>>> I looked everywhere but I couldn't find an Evaluation API for
>>>>> javascript...
>>>>> In my nodeJS server, should I call UMA API endpoints?
>>>>>
>>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> It seems you are looking for fine-grained permissions. Could you take
>>>>>> a look at this example [1] and documentation [2] ?
>>>>>>
>>>>>> One of the things shown by that example is how to protect resources
>>>>>> based on its owner.
>>>>>>
>>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>>>>> s/authz/photoz
>>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>>>>> es/index.html
>>>>>>
>>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi guys,
>>>>>>> another small question :)
>>>>>>>
>>>>>>> Suppose you have an API looking like this:
>>>>>>> http://www.example.com/api/v1/cars
>>>>>>>
>>>>>>> Cars have an owner:
>>>>>>> {
>>>>>>> name: "my car"
>>>>>>> owner: "smith"
>>>>>>> }
>>>>>>>
>>>>>>> How to make sure that you can only get cars that are yours (you can
>>>>>>> have
>>>>>>> several cars)?
>>>>>>> If you make a simple GET on this endpoint, should I:
>>>>>>> 1. just reply with a "Access denied" because the request is too
>>>>>>> large: it
>>>>>>> could yield cars that are not yours,
>>>>>>> 2. reply with "Access denied" if the response list contains some
>>>>>>> cars that
>>>>>>> are not yours,
>>>>>>> 3. filter the response car list with only yours?
>>>>>>>
>>>>>>> It seems that 1. is the simplest because it uses only the request to
>>>>>>> make
>>>>>>> decisions.
>>>>>>> 2. uses the response to make decision, while 3. requires the
>>>>>>> collaboration
>>>>>>> of the response handler in my API server, in order to implement the
>>>>>>> filtering.
>>>>>>> What is the most standard way?
>>>>>>>
>>>>>>> I have also some trouble understanding how to implement that with
>>>>>>> Keycloak
>>>>>>> protect in NodeJS.
>>>>>>> Cheers!!
>>>>>>> Corentin
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list