[keycloak-user] API Authorization: on request or response?

Matthew Helmke mhelmke at redhat.com
Tue Nov 14 08:44:20 EST 2017


Looks good to me. Thanks.

On Tue, Nov 14, 2017 at 7:40 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Thanks, Matthew. I've submitted a PR [1] with a fairly simple change
> already. Please, let me know if you are OK with it.
>
> [1] https://github.com/keycloak/keycloak-documentation/pull/236
>
> On Tue, Nov 14, 2017 at 11:23 AM, Matthew Helmke <mhelmke at redhat.com>
> wrote:
>
>> Pedro, I'm happy to help with docs changes, if you would like assistance.
>>
>> On Tue, Nov 14, 2017 at 6:44 AM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Btw. I should probably change documentation to reflect this. Thanks for
>>> the
>>> feedback.
>>>
>>> On Tue, Nov 14, 2017 at 10:44 AM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>> > Try this:
>>> >
>>> > curl -X POST \
>>> >     -H "Content-Type: application/x-www-form-urlencoded" \
>>> >     -d 'grant_type=client_credentials&client_id=myclient&client_sec
>>> ret=
>>> > myclientsecret'
>>> >     "http://localhost:8080/auth/realms/${realm_name}/protocol/
>>> > openid-connect/token"
>>> >
>>> > Without BASIC but credentials as form parameters.
>>> >
>>> > On Tue, Nov 14, 2017 at 10:37 AM, Corentin Dupont <
>>> > corentin.dupont at gmail.com> wrote:
>>> >
>>> >> Thanks, actually I saw it but I didn't understand where this bit came
>>> >> from: aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==
>>> >>
>>> >> On Tue, Nov 14, 2017 at 1:20 PM, Pedro Igor Silva <psilva at redhat.com>
>>> >> wrote:
>>> >>
>>> >>> The problem here is that you got an access token (that you are using
>>> as
>>> >>> a bearer to access Protection API) using resource owner password
>>> grant type
>>> >>> (direct grant). That means the subject of the token is an user
>>> (username)
>>> >>> and not the resource server itself.
>>> >>>
>>> >>> Only resource servers (your client application) are allowed to access
>>> >>> the Protection API (and managed resources).
>>> >>>
>>> >>> The access token you got is valid to query for permissions though. As
>>> >>> you want to obtain a set of permission an user has. Where the token
>>> >>> represents user identity.
>>> >>>
>>> >>> You should fix that error by obtaining a access token for your
>>> client.
>>> >>> Something like that (from docs):
>>> >>>
>>> >>> curl -X POST \
>>> >>>     -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA=="
>>> \
>>> >>>     -H "Content-Type: application/x-www-form-urlencoded" \
>>> >>>     -d 'grant_type=client_credentials' \
>>> >>>     "http://localhost:8080/auth/realms/${realm_name}/protocol/o
>>> penid-connect/token"
>>> >>>
>>> >>>
>>> >>> On Tue, Nov 14, 2017 at 7:47 AM, Corentin Dupont <
>>> >>> corentin.dupont at gmail.com> wrote:
>>> >>>
>>> >>>> Thanks for the documentation, after reading it I found that I can
>>> use
>>> >>>> "entitlement" endpoints for my use case.
>>> >>>> So I do:
>>> >>>>
>>> >>>> TOKEN=`curl -X POST  -H "Content-Type:
>>> application/x-www-form-urlencoded"
>>> >>>> -d 'username=username&password=password&grant_type=password&cli
>>> >>>> ent_id=myclient&client_secret=myclientsecret' "
>>> >>>> http://localhost:8080/auth/realms/myrealm/protocol/openid-co
>>> nnect/token"
>>> >>>> | jq .access_token -r`
>>> >>>>
>>> >>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>> >>>> Bearer $TOKEN" -d '{
>>> >>>>     "permissions" : [
>>> >>>>         {
>>> >>>>             "resource_set_name" : "Houses",
>>> >>>>             "scopes" : [
>>> >>>>                 "view"
>>> >>>>             ]
>>> >>>>         }
>>> >>>>     ]
>>> >>>> }'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement
>>> >>>> /myclient"
>>> >>>>
>>> >>>> Is this correct? It seems to be working.
>>> >>>> I am not sure how can I get/create resources via the API.
>>> >>>> I tried:
>>> >>>>
>>> >>>> curl "http://localhost:8080/auth/realms/myrealm/authz/protection/
>>> >>>> resource_set" -H "Authorization: Bearer $TOKEN"
>>> >>>> But I get:
>>> >>>> {"error":"invalid_clientId","error_description":"Client application
>>> >>>> with id [2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in
>>> realm
>>> >>>> [myrealm]"}
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <
>>> >>>> corentin.dupont at gmail.com> wrote:
>>> >>>>
>>> >>>>> Hi again,
>>> >>>>> I looked everywhere but I couldn't find an Evaluation API for
>>> >>>>> javascript...
>>> >>>>> In my nodeJS server, should I call UMA API endpoints?
>>> >>>>>
>>> >>>>> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <
>>> psilva at redhat.com>
>>> >>>>> wrote:
>>> >>>>>
>>> >>>>>> Hi,
>>> >>>>>>
>>> >>>>>> It seems you are looking for fine-grained permissions. Could you
>>> take
>>> >>>>>> a look at this example [1] and documentation [2] ?
>>> >>>>>>
>>> >>>>>> One of the things shown by that example is how to protect
>>> resources
>>> >>>>>> based on its owner.
>>> >>>>>>
>>> >>>>>> [1] https://github.com/keycloak/keycloak/tree/master/example
>>> >>>>>> s/authz/photoz
>>> >>>>>> [2] http://www.keycloak.org/docs/latest/authorization_servic
>>> >>>>>> es/index.html
>>> >>>>>>
>>> >>>>>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>>> >>>>>> corentin.dupont at gmail.com> wrote:
>>> >>>>>>
>>> >>>>>>> Hi guys,
>>> >>>>>>> another small question :)
>>> >>>>>>>
>>> >>>>>>> Suppose you have an API looking like this:
>>> >>>>>>> http://www.example.com/api/v1/cars
>>> >>>>>>>
>>> >>>>>>> Cars have an owner:
>>> >>>>>>> {
>>> >>>>>>>   name: "my car"
>>> >>>>>>>   owner: "smith"
>>> >>>>>>> }
>>> >>>>>>>
>>> >>>>>>> How to make sure that you can only get cars that are yours (you
>>> can
>>> >>>>>>> have
>>> >>>>>>> several cars)?
>>> >>>>>>> If you make a simple GET on this endpoint, should I:
>>> >>>>>>> 1. just reply with a "Access denied" because the request is too
>>> >>>>>>> large: it
>>> >>>>>>> could yield cars that are not yours,
>>> >>>>>>> 2. reply with "Access denied" if the response list contains some
>>> >>>>>>> cars that
>>> >>>>>>> are not yours,
>>> >>>>>>> 3. filter the response car list with only yours?
>>> >>>>>>>
>>> >>>>>>> It seems that 1. is the simplest because it uses only the
>>> request to
>>> >>>>>>> make
>>> >>>>>>> decisions.
>>> >>>>>>> 2. uses the response to make decision, while 3. requires the
>>> >>>>>>> collaboration
>>> >>>>>>> of the response handler in my API server, in order to implement
>>> the
>>> >>>>>>> filtering.
>>> >>>>>>> What is the most standard way?
>>> >>>>>>>
>>> >>>>>>> I have also some trouble understanding how to implement that with
>>> >>>>>>> Keycloak
>>> >>>>>>> protect in NodeJS.
>>> >>>>>>> Cheers!!
>>> >>>>>>> Corentin
>>> >>>>>>> _______________________________________________
>>> >>>>>>> keycloak-user mailing list
>>> >>>>>>> keycloak-user at lists.jboss.org
>>> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>
>>> >>>>
>>> >>>
>>> >>
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> --
>>
>> matthew helmke
>>
>> technical writer, product documentation
>>
>> CUSTOMER content services
>>
>> mhelmke at redhat.com  T: +1-319-333-9638 <(319)%20333-9638>  irc:: mhelmke
>> <https://red.ht/sig>
>> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
>>
>
>


-- 

matthew helmke

technical writer, product documentation

CUSTOMER content services

mhelmke at redhat.com  T: +1-319-333-9638  irc:: mhelmke
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>


More information about the keycloak-user mailing list