[keycloak-user] Questions about Keycloak UMA 2.0 implementation
José Luis Colomer Martorell
jose.colomer.martorell at tecsisa.com
Thu Jul 12 02:41:20 EDT 2018
Hello just to clarify the last question written by Francisco,
i'm also having problems when upgrading the RPT when the requested resource
is not authorized to the user.
This is my current setup:
Users:
Just one user: foouser
Resources:
- foo-resource
- bar-resource
Policies:
- foouser-policy: this policy grants access for only foouser.
Permissions:
- fooresource-foouser-permission: this permission associates the
resource "foo-resource" with the policy "foouser-policy"
I obtained the following valid RPT
{
>
> "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
>
> "exp": 1531411894,
>
> "nbf": 0,
>
> "iat": 1531375932,
>
> "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>
> "aud": "demo-upgrade-rpt",
>
> "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
>
> "typ": "Bearer",
>
> "azp": "auth-demo-webapp",
>
> "auth_time": 0,
>
> "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
>
> "acr": "1",
>
> "allowed-origins": [],
>
> "realm_access": {
>
> "roles": [
>
> "offline_access",
>
> "uma_authorization"
>
> ]
>
> },
>
> "resource_access": {
>
> "account": {
>
> "roles": [
>
> "manage-account",
>
> "view-profile"
>
> ]
>
> }
>
> },
>
> "authorization": {
>
> "permissions": [
>
> {
>
> "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
>
> "rsname": "foouser-resource"
>
> }
>
> ]
>
> },
>
> "scope": "profile email",
>
> "email_verified": false,
>
> "groups": [],
>
> "preferred_username": "foouser"
>
> }
>
>
And I tried to upgrade it using a ticket for an unauthorized resource
(bar-resource)
{
>
> "resources": [
>
> {
>
> "id": "c73c3133-b987-4d1f-8195-544735d75433",
>
> "scopes": []
>
> }
>
> ],
>
> "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
>
> "exp": 1531411717,
>
> "nbf": 0,
>
> "iat": 1531375717,
>
> "aud": "demo-upgrade-rpt",
>
> "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
>
> "azp": "demo-upgrade-rpt"
>
> }
>
>
Keycloak returns a 200 OK response including "upgraded": true in the body.
I was expecting a 403 forbidden response, it seems Keycloak just assess the
RPT's permissions, ignoring the ticket ones. Is this correct?
More information about the keycloak-user
mailing list