[keycloak-user] Questions about Keycloak UMA 2.0 implementation

José Luis Colomer Martorell jose.colomer.martorell at tecsisa.com
Thu Jul 12 11:02:49 EDT 2018


Yes, I think so :) That behavior would be awesome.

2018-07-12 15:29 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:

> I've replied to the original thread. Does it work for you ?
>
> On Thu, Jul 12, 2018 at 3:41 AM, José Luis Colomer Martorell <
> jose.colomer.martorell at tecsisa.com> wrote:
>
>> Hello just to clarify the last question written by Francisco,
>>
>> i'm also having problems when upgrading the RPT when the requested
>> resource
>> is not authorized to the user.
>>
>>
>> This is my current setup:
>>
>> Users:
>>
>> Just one user: foouser
>>
>> Resources:
>>
>>    - foo-resource
>>    - bar-resource
>>
>> Policies:
>>
>>    - foouser-policy: this policy grants access for only foouser.
>>
>>
>> Permissions:
>>
>>    - fooresource-foouser-permission: this permission associates the
>>
>>    resource "foo-resource" with the policy "foouser-policy"
>>
>>
>> I obtained the following valid RPT
>>
>> {
>> >
>> >   "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
>> >
>> >   "exp": 1531411894,
>> >
>> >   "nbf": 0,
>> >
>> >   "iat": 1531375932,
>> >
>> >   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>> >
>> >   "aud": "demo-upgrade-rpt",
>> >
>> >   "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
>> >
>> >   "typ": "Bearer",
>> >
>> >   "azp": "auth-demo-webapp",
>> >
>> >   "auth_time": 0,
>> >
>> >   "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
>> >
>> >   "acr": "1",
>> >
>> >   "allowed-origins": [],
>> >
>> >   "realm_access": {
>> >
>> >     "roles": [
>> >
>> >       "offline_access",
>> >
>> >       "uma_authorization"
>> >
>> >     ]
>> >
>> >   },
>> >
>> >   "resource_access": {
>> >
>> >     "account": {
>> >
>> >       "roles": [
>> >
>> >         "manage-account",
>> >
>> >         "view-profile"
>> >
>> >       ]
>> >
>> >     }
>> >
>> >   },
>> >
>> >   "authorization": {
>> >
>> >     "permissions": [
>> >
>> >       {
>> >
>> >         "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
>> >
>> >         "rsname": "foouser-resource"
>> >
>> >       }
>> >
>> >     ]
>> >
>> >   },
>> >
>> >   "scope": "profile email",
>> >
>> >   "email_verified": false,
>> >
>> >   "groups": [],
>> >
>> >   "preferred_username": "foouser"
>> >
>> > }
>> >
>> >
>> And I tried to upgrade it using a ticket for an unauthorized resource
>> (bar-resource)
>>
>> {
>> >
>> >   "resources": [
>> >
>> >     {
>> >
>> >       "id": "c73c3133-b987-4d1f-8195-544735d75433",
>> >
>> >       "scopes": []
>> >
>> >     }
>> >
>> >   ],
>> >
>> >   "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
>> >
>> >   "exp": 1531411717,
>> >
>> >   "nbf": 0,
>> >
>> >   "iat": 1531375717,
>> >
>> >   "aud": "demo-upgrade-rpt",
>> >
>> >   "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
>> >
>> >   "azp": "demo-upgrade-rpt"
>> >
>> > }
>> >
>> >
>>
>>  Keycloak returns a 200 OK response including "upgraded": true in the
>> body.
>> I was expecting a 403 forbidden response, it seems Keycloak just assess
>> the
>> RPT's permissions, ignoring the ticket ones. Is this correct?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list