[keycloak-user] Questions about Keycloak UMA 2.0 implementation
José Luis Colomer Martorell
jose.colomer.martorell at tecsisa.com
Thu Jul 12 11:02:49 EDT 2018
Yes, I think so :) That behavior would be awesome.
2018-07-12 15:29 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:
> I've replied to the original thread. Does it work for you ?
>
> On Thu, Jul 12, 2018 at 3:41 AM, José Luis Colomer Martorell <
> jose.colomer.martorell at tecsisa.com> wrote:
>
>> Hello just to clarify the last question written by Francisco,
>>
>> i'm also having problems when upgrading the RPT when the requested
>> resource
>> is not authorized to the user.
>>
>>
>> This is my current setup:
>>
>> Users:
>>
>> Just one user: foouser
>>
>> Resources:
>>
>> - foo-resource
>> - bar-resource
>>
>> Policies:
>>
>> - foouser-policy: this policy grants access for only foouser.
>>
>>
>> Permissions:
>>
>> - fooresource-foouser-permission: this permission associates the
>>
>> resource "foo-resource" with the policy "foouser-policy"
>>
>>
>> I obtained the following valid RPT
>>
>> {
>> >
>> > "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
>> >
>> > "exp": 1531411894,
>> >
>> > "nbf": 0,
>> >
>> > "iat": 1531375932,
>> >
>> > "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>> >
>> > "aud": "demo-upgrade-rpt",
>> >
>> > "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
>> >
>> > "typ": "Bearer",
>> >
>> > "azp": "auth-demo-webapp",
>> >
>> > "auth_time": 0,
>> >
>> > "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
>> >
>> > "acr": "1",
>> >
>> > "allowed-origins": [],
>> >
>> > "realm_access": {
>> >
>> > "roles": [
>> >
>> > "offline_access",
>> >
>> > "uma_authorization"
>> >
>> > ]
>> >
>> > },
>> >
>> > "resource_access": {
>> >
>> > "account": {
>> >
>> > "roles": [
>> >
>> > "manage-account",
>> >
>> > "view-profile"
>> >
>> > ]
>> >
>> > }
>> >
>> > },
>> >
>> > "authorization": {
>> >
>> > "permissions": [
>> >
>> > {
>> >
>> > "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
>> >
>> > "rsname": "foouser-resource"
>> >
>> > }
>> >
>> > ]
>> >
>> > },
>> >
>> > "scope": "profile email",
>> >
>> > "email_verified": false,
>> >
>> > "groups": [],
>> >
>> > "preferred_username": "foouser"
>> >
>> > }
>> >
>> >
>> And I tried to upgrade it using a ticket for an unauthorized resource
>> (bar-resource)
>>
>> {
>> >
>> > "resources": [
>> >
>> > {
>> >
>> > "id": "c73c3133-b987-4d1f-8195-544735d75433",
>> >
>> > "scopes": []
>> >
>> > }
>> >
>> > ],
>> >
>> > "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
>> >
>> > "exp": 1531411717,
>> >
>> > "nbf": 0,
>> >
>> > "iat": 1531375717,
>> >
>> > "aud": "demo-upgrade-rpt",
>> >
>> > "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
>> >
>> > "azp": "demo-upgrade-rpt"
>> >
>> > }
>> >
>> >
>>
>> Keycloak returns a 200 OK response including "upgraded": true in the
>> body.
>> I was expecting a 403 forbidden response, it seems Keycloak just assess
>> the
>> RPT's permissions, ignoring the ticket ones. Is this correct?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
More information about the keycloak-user
mailing list