[keycloak-user] API Authorization: on request or response?

Pedro Igor Silva psilva at redhat.com
Tue Nov 14 08:40:10 EST 2017


Thanks, Matthew. I've submitted a PR [1] with a fairly simple change
already. Please, let me know if you are OK with it.

[1] https://github.com/keycloak/keycloak-documentation/pull/236

On Tue, Nov 14, 2017 at 11:23 AM, Matthew Helmke <mhelmke at redhat.com> wrote:

> Pedro, I'm happy to help with docs changes, if you would like assistance.
>
> On Tue, Nov 14, 2017 at 6:44 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Btw. I should probably change documentation to reflect this. Thanks for
>> the
>> feedback.
>>
>> On Tue, Nov 14, 2017 at 10:44 AM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>> > Try this:
>> >
>> > curl -X POST \
>> >     -H "Content-Type: application/x-www-form-urlencoded" \
>> >     -d 'grant_type=client_credentials&client_id=myclient&client_secret=
>> > myclientsecret'
>> >     "http://localhost:8080/auth/realms/${realm_name}/protocol/
>> > openid-connect/token"
>> >
>> > Without BASIC but credentials as form parameters.
>> >
>> > On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>> > corentin.dupont at gmail.com> wrote:
>> >
>> >> Thanks, actually I saw it but I didn't understand where this bit came
>> >> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>> >>
>> >> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>> >> wrote:
>> >>
>> >>> The problem here is that you got an access token (that you are using
>> as
>> >>> a bearer to access Protection API) using resource owner password
>> grant type
>> >>> (direct grant). That means the subject of the token is an user
>> (username)
>> >>> and not the resource server itself.
>> >>>
>> >>> Only resource servers (your client application) are allowed to access
>> >>> the Protection API (and managed resources).
>> >>>
>> >>> The access token you got is valid to query for permissions though. As
>> >>> you want to obtain a set of permission an user has. Where the token
>> >>> represents user identity.
>> >>>
>> >>> You should fix that error by obtaining a access token for your client.
>> >>> Something like that (from docs):
>> >>>
>> >>> curl -X POST \
>> >>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA=="
>> \
>> >>>     -H "Content-Type: application/x-www-form-urlencoded" \
>> >>>     -d 'grant_type=client_credentials' \
>> >>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/o
>> penid-connect/token"
>> >>>
>> >>>
>> >>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>> >>> corentin.dupont at gmail.com> wrote:
>> >>>
>> >>>> Thanks for the documentation, after reading it I found that I can use
>> >>>> "entitlement" endpoints for my use case.
>> >>>> So I do:
>> >>>>
>> >>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlenco
>> ded"
>> >>>> -d 'username=username&password=password&grant_type=password&cli
>> >>>> ent_id=myclient&client_secret=myclientsecret' "
>> >>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-
>> connect/token"
>> >>>> | jq .access_token -r`
>> >>>>
>> >>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>> >>>> Bearer $TOKEN" -d '{
>> >>>>     "permissions" : [
>> >>>>         {
>> >>>>             "resource_set_name" : "Houses",
>> >>>>             "scopes" : [
>> >>>>                 "view"
>> >>>>             ]
>> >>>>         }
>> >>>>     ]
>> >>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>> >>>> /myclient"
>> >>>>
>> >>>> Is this correct? It seems to be working.
>> >>>> I am not sure how can I get/create resources via the API.
>> >>>> I tried:
>> >>>>
>> >>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>> >>>> resource_set" -H "Authorization: Bearer $TOKEN"
>> >>>> But I get:
>> >>>> {"error":"invalid_clientId","error_description":"Client application
>> >>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in
>> realm
>> >>>> [myrealm]"}
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>> >>>> corentin.dupont at gmail.com> wrote:
>> >>>>
>> >>>>> Hi again,
>> >>>>> I looked everywhere but I couldn't find an Evaluation API for
>> >>>>> javascript...
>> >>>>> In my nodeJS server, should I call UMA API endpoints?
>> >>>>>
>> >>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
>> psilva at redhat.com>
>> >>>>> wrote:
>> >>>>>
>> >>>>>> Hi,
>> >>>>>>
>> >>>>>> It seems you are looking for fine-grained permissions. Could you
>> take
>> >>>>>> a look at this example [1] and documentation [2] ?
>> >>>>>>
>> >>>>>> One of the things shown by that example is how to protect resources
>> >>>>>> based on its owner.
>> >>>>>>
>> >>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>> >>>>>> s/authz/photoz
>> >>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>> >>>>>> es/index.html
>> >>>>>>
>> >>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>> >>>>>> corentin.dupont at gmail.com> wrote:
>> >>>>>>
>> >>>>>>> Hi guys,
>> >>>>>>> another small question :)
>> >>>>>>>
>> >>>>>>> Suppose you have an API looking like this:
>> >>>>>>> http://www.example.com/api/v1/cars
>> >>>>>>>
>> >>>>>>> Cars have an owner:
>> >>>>>>> {
>> >>>>>>>   name: "my car"
>> >>>>>>>   owner: "smith"
>> >>>>>>> }
>> >>>>>>>
>> >>>>>>> How to make sure that you can only get cars that are yours (you
>> can
>> >>>>>>> have
>> >>>>>>> several cars)?
>> >>>>>>> If you make a simple GET on this endpoint, should I:
>> >>>>>>> 1. just reply with a "Access denied" because the request is too
>> >>>>>>> large: it
>> >>>>>>> could yield cars that are not yours,
>> >>>>>>> 2. reply with "Access denied" if the response list contains some
>> >>>>>>> cars that
>> >>>>>>> are not yours,
>> >>>>>>> 3. filter the response car list with only yours?
>> >>>>>>>
>> >>>>>>> It seems that 1. is the simplest because it uses only the request
>> to
>> >>>>>>> make
>> >>>>>>> decisions.
>> >>>>>>> 2. uses the response to make decision, while 3. requires the
>> >>>>>>> collaboration
>> >>>>>>> of the response handler in my API server, in order to implement
>> the
>> >>>>>>> filtering.
>> >>>>>>> What is the most standard way?
>> >>>>>>>
>> >>>>>>> I have also some trouble understanding how to implement that with
>> >>>>>>> Keycloak
>> >>>>>>> protect in NodeJS.
>> >>>>>>> Cheers!!
>> >>>>>>> Corentin
>> >>>>>>> _______________________________________________
>> >>>>>>> keycloak-user mailing list
>> >>>>>>> keycloak-user at lists.jboss.org
>> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>
>> >>>>
>> >>>
>> >>
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
>
> matthew helmke
>
> technical writer, product documentation
>
> CUSTOMER content services
>
> mhelmke at redhat.com  T: +1-319-333-9638 <(319)%20333-9638>  irc:: mhelmke
> <https://red.ht/sig>
> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
>


More information about the keycloak-user mailing list