[keycloak-user] Retrieve all permissions

Pedro Igor Silva psilva at redhat.com
Tue Jul 10 11:32:58 EDT 2018


On Tue, Jul 10, 2018 at 10:31 AM, Corentin Dupont <corentin.dupont at gmail.com
> wrote:

> Hi guys,
> I noticed a couple of strange things when retrieving all the permissions.
> I tried:
>
> $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
> connect/token -H "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server"
> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>
> "authorization": {
>     "permissions": [
> ...
>
> But it seems that this command returns only the permissions for the
> resources belonging to the client, excluding resource belonging to other
> users?
>

When obtaining all entitlenents for an user, only resources owned by the
resource server, by the user and shares (via ticket or via account service)
are processed.


> To get an assessment of all resources, I tried adding a scope:
>
> $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
> connect/token -H "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=#sensors:view"
> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>
> "authorization": {
>     "permissions": [
>         {
>         "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
>         "rsname": "foo"
>
> This instead returns a list of resources belonging to all users.
> But the list seems to be wrong: it returns sensors to which I *don't* have
> access!
> If I try the request on the specific resource, it returns (rightfully)
> access_denied:
>

I tried to do a simple test based on a previous realm configuration you
sent. Could not reproduce the problem.


>
> curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=
> 9e24320d-ef89-440b-b6d5-d7b5a4896f60#sensors:view"
> {"error":"access_denied","error_description":"not_authorized"}
>
> Another strange thing, if I try with a non-existent resource ID, there is
> no error message and it returns a list of permissions:
>
> $ curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=not-exist#sensors:view"
> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>
> "authorization": {
>     "permissions": [
>         {
>         "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
>         "rsname": "foo"
> ...
>

I think you reported ths already. Here is the PR
https://github.com/keycloak/keycloak/pull/5357.


> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list