[keycloak-user] Questions about Keycloak UMA 2.0 implementation

José Luis Colomer Martorell jose.colomer.martorell at tecsisa.com
Thu Jul 12 02:41:20 EDT 2018 

Hello just to clarify the last question written by Francisco,

i'm also having problems when upgrading the RPT when the requested resource
is not authorized to the user.


This is my current setup:

Users:

Just one user: foouser

Resources:

   - foo-resource
   - bar-resource

Policies:

   - foouser-policy: this policy grants access for only foouser.


Permissions:

   - fooresource-foouser-permission: this permission associates the
   resource "foo-resource" with the policy "foouser-policy"


I obtained the following valid RPT

{
>
>   "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
>
>   "exp": 1531411894,
>
>   "nbf": 0,
>
>   "iat": 1531375932,
>
>   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>
>   "aud": "demo-upgrade-rpt",
>
>   "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
>
>   "typ": "Bearer",
>
>   "azp": "auth-demo-webapp",
>
>   "auth_time": 0,
>
>   "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
>
>   "acr": "1",
>
>   "allowed-origins": [],
>
>   "realm_access": {
>
>     "roles": [
>
>       "offline_access",
>
>       "uma_authorization"
>
>     ]
>
>   },
>
>   "resource_access": {
>
>     "account": {
>
>       "roles": [
>
>         "manage-account",
>
>         "view-profile"
>
>       ]
>
>     }
>
>   },
>
>   "authorization": {
>
>     "permissions": [
>
>       {
>
>         "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
>
>         "rsname": "foouser-resource"
>
>       }
>
>     ]
>
>   },
>
>   "scope": "profile email",
>
>   "email_verified": false,
>
>   "groups": [],
>
>   "preferred_username": "foouser"
>
> }
>
>
And I tried to upgrade it using a ticket for an unauthorized resource
(bar-resource)

{
>
>   "resources": [
>
>     {
>
>       "id": "c73c3133-b987-4d1f-8195-544735d75433",
>
>       "scopes": []
>
>     }
>
>   ],
>
>   "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
>
>   "exp": 1531411717,
>
>   "nbf": 0,
>
>   "iat": 1531375717,
>
>   "aud": "demo-upgrade-rpt",
>
>   "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
>
>   "azp": "demo-upgrade-rpt"
>
> }
>
>

 Keycloak returns a 200 OK response including "upgraded": true in the body.
I was expecting a 403 forbidden response, it seems Keycloak just assess the
RPT's permissions, ignoring the ticket ones. Is this correct?

More information about the keycloak-user mailing list