[keycloak-user] Questions about Keycloak UMA 2.0 implementation
Pedro Igor Silva
psilva at redhat.com
Thu Jul 12 14:08:19 EDT 2018
Created https://issues.jboss.org/browse/KEYCLOAK-7849.
On Thu, Jul 12, 2018 at 12:02 PM, José Luis Colomer Martorell <
jose.colomer.martorell at tecsisa.com> wrote:
> Yes, I think so :) That behavior would be awesome.
>
> 2018-07-12 15:29 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:
>
> > I've replied to the original thread. Does it work for you ?
> >
> > On Thu, Jul 12, 2018 at 3:41 AM, José Luis Colomer Martorell <
> > jose.colomer.martorell at tecsisa.com> wrote:
> >
> >> Hello just to clarify the last question written by Francisco,
> >>
> >> i'm also having problems when upgrading the RPT when the requested
> >> resource
> >> is not authorized to the user.
> >>
> >>
> >> This is my current setup:
> >>
> >> Users:
> >>
> >> Just one user: foouser
> >>
> >> Resources:
> >>
> >> - foo-resource
> >> - bar-resource
> >>
> >> Policies:
> >>
> >> - foouser-policy: this policy grants access for only foouser.
> >>
> >>
> >> Permissions:
> >>
> >> - fooresource-foouser-permission: this permission associates the
> >>
> >> resource "foo-resource" with the policy "foouser-policy"
> >>
> >>
> >> I obtained the following valid RPT
> >>
> >> {
> >> >
> >> > "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
> >> >
> >> > "exp": 1531411894,
> >> >
> >> > "nbf": 0,
> >> >
> >> > "iat": 1531375932,
> >> >
> >> > "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
> >> >
> >> > "aud": "demo-upgrade-rpt",
> >> >
> >> > "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
> >> >
> >> > "typ": "Bearer",
> >> >
> >> > "azp": "auth-demo-webapp",
> >> >
> >> > "auth_time": 0,
> >> >
> >> > "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
> >> >
> >> > "acr": "1",
> >> >
> >> > "allowed-origins": [],
> >> >
> >> > "realm_access": {
> >> >
> >> > "roles": [
> >> >
> >> > "offline_access",
> >> >
> >> > "uma_authorization"
> >> >
> >> > ]
> >> >
> >> > },
> >> >
> >> > "resource_access": {
> >> >
> >> > "account": {
> >> >
> >> > "roles": [
> >> >
> >> > "manage-account",
> >> >
> >> > "view-profile"
> >> >
> >> > ]
> >> >
> >> > }
> >> >
> >> > },
> >> >
> >> > "authorization": {
> >> >
> >> > "permissions": [
> >> >
> >> > {
> >> >
> >> > "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
> >> >
> >> > "rsname": "foouser-resource"
> >> >
> >> > }
> >> >
> >> > ]
> >> >
> >> > },
> >> >
> >> > "scope": "profile email",
> >> >
> >> > "email_verified": false,
> >> >
> >> > "groups": [],
> >> >
> >> > "preferred_username": "foouser"
> >> >
> >> > }
> >> >
> >> >
> >> And I tried to upgrade it using a ticket for an unauthorized resource
> >> (bar-resource)
> >>
> >> {
> >> >
> >> > "resources": [
> >> >
> >> > {
> >> >
> >> > "id": "c73c3133-b987-4d1f-8195-544735d75433",
> >> >
> >> > "scopes": []
> >> >
> >> > }
> >> >
> >> > ],
> >> >
> >> > "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
> >> >
> >> > "exp": 1531411717,
> >> >
> >> > "nbf": 0,
> >> >
> >> > "iat": 1531375717,
> >> >
> >> > "aud": "demo-upgrade-rpt",
> >> >
> >> > "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
> >> >
> >> > "azp": "demo-upgrade-rpt"
> >> >
> >> > }
> >> >
> >> >
> >>
> >> Keycloak returns a 200 OK response including "upgraded": true in the
> >> body.
> >> I was expecting a 403 forbidden response, it seems Keycloak just assess
> >> the
> >> RPT's permissions, ignoring the ticket ones. Is this correct?
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list