[keycloak-user] NPE when requesting authorization
Corentin Dupont
corentin.dupont at gmail.com
Wed Jul 4 09:09:40 EDT 2018
Yes, exactly.
On Wed, Jul 4, 2018 at 3:08 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
> Actually, the permissions you got were related with "scope:view". Could
> you confirm ?
>
> On Wed, Jul 4, 2018 at 9:55 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Yes it should. Will check this out.
>>
>>
>> On Wed, Jul 4, 2018 at 9:31 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> I have another weird behavior (with github HEAD).
>>> When requesting a permission on a non existing resource, I still get a
>>> token.
>>> This token contains all the permissions.
>>> Is it correct? Shouldn't it be 404 or something?
>>>
>>>
>>> $ USERTOKEN=`curl -X POST -H "Content-Type:
>>> application/x-www-form-urlencoded" -d 'username=xx&password=xx&grant
>>> _type=password&client_id=api-server&client_secret=xxx' "
>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>> | jq .access_token -r`
>>>
>>> $ curl -X POST http://localhost:8080/auth/rea
>>> lms/waziup/protocol/openid-connect/token -H "Authorization: Bearer
>>> $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>> uth:grant-type:uma-ticket&audience=api-server&permission=not
>>> _exist#sensors:view"
>>>
>>> {"upgraded":false,"access_token":"eyJhbGciOiJSUzI......
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Jul 3, 2018 at 5:00 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> It should be fixed now in master and available in next release.
>>>> https://github.com/keycloak/keycloak/pull/5346.
>>>>
>>>> Thanks !
>>>>
>>>> On Tue, Jul 3, 2018 at 10:39 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Yes, I see that this error happens when the resource does not exists.
>>>>> However, with my user "guest", it happens all the time, even when the
>>>>> resource does exist...
>>>>>
>>>>> On Tue, Jul 3, 2018 at 2:15 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> OK. Found the issue. Will fix it. Problem is that Sensortest does not
>>>>>> exist and program enters in a state that a resource-less permission causes
>>>>>> that error.
>>>>>>
>>>>>> On Mon, Jul 2, 2018 at 10:05 AM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi guys,
>>>>>>> I got this error when requesting authorization on a resource:
>>>>>>>
>>>>>>> $ curl -X POST
>>>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-con
>>>>>>> nect/token -H
>>>>>>> "Authorization: Bearer $USERTOKEN" -d
>>>>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>>>>>> ence=api-server&permission=Sensortest#sensors:view"
>>>>>>>
>>>>>>> {"error":"server_error","error_description":"Unexpected error while
>>>>>>> evaluating permissions"}
>>>>>>>
>>>>>>> On the server side I get:
>>>>>>>
>>>>>>> 12:42:11,821 ERROR
>>>>>>> [org.keycloak.authorization.authorization.AuthorizationTokenService]
>>>>>>> (default task-16) Unexpected error while evaluating permissions:
>>>>>>> java.lang.NullPointerException
>>>>>>> at
>>>>>>> org.keycloak.authorization.util.Permissions.permits(Permissi
>>>>>>> ons.java:194)
>>>>>>> at
>>>>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>>>>> ervice.authorize(AuthorizationTokenService.java:173)
>>>>>>> at
>>>>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissio
>>>>>>> nGrant(TokenEndpoint.java:1124)
>>>>>>> at
>>>>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGr
>>>>>>> antRequest(TokenEndpoint.java:190)
>>>>>>> at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source)
>>>>>>> at
>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>>>>> thodAccessorImpl.java:43)
>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>>
>>>>>>>
>>>>>>> I got my token this way:
>>>>>>> USERTOKEN=`curl -X POST -H "Content-Type:
>>>>>>> application/x-www-form-urlencoded" -d
>>>>>>> 'username=guest&password=guest&grant_type=password&client_id
>>>>>>> =api-server&client_secret=xxx'
>>>>>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-co
>>>>>>> nnect/token" |
>>>>>>> jq .access_token -r`
>>>>>>>
>>>>>>> This seems to happen for scope-based policies.
>>>>>>>
>>>>>>> Cheers
>>>>>>> Corentin
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list