[keycloak-user] Questions about Keycloak UMA 2.0 implementation

Francisco José Bermejo Herrera francisco.bermejo.herrera at tecsisa.com
Fri Jul 13 04:17:29 EDT 2018 

If Keycloak behavior is changed according to your proposal described in 
your previous message, then there shouldn't be any problem with authz 
requests in our model.

It is true that the scopes described in our example are a bit 
misleading. Think about something like READ and READ-PREMIUM instead, 
used at a GET endpoint, and the Resource Server just checks whether one 
of these scopes is contained in the RPT, returning a ticket with READ 
and READ-PREMIUM when none of them has been provided. When the Client 
requests the new RPT by using the ticket, Keycloak would return a RPT 
including either READ or READ-PREMIUM, or 403 Forbidden.

As I said before, this is perfectly aligned with the new Keycloak 
behavior.

On jue, jul 12, 2018 at 7:35 , Pedro Igor Silva <psilva at redhat.com> 
wrote:
> 
> 
> On Tue, Jul 10, 2018 at 6:22 AM, Francisco José Bermejo Herrera 
> <francisco.bermejo.herrera at tecsisa.com> wrote:
>> Hello, we are testing Keycloak 4.1.0.Final for authentication and
>> authorization (UMA 2.0 flow).
>> 
>> Some assumptions:
>> 
>>    - The Resource Server owns the resource Foo, and protects it by 
>> using
>>    two scope-based permissions, one requiring READ scope, and the 
>> other one
>>    requiring WRITE scope.
>>    - User Alice has been granted READ scope for resource Foo.
>>    - We are not using Policy Enforcers. Enforcement will be 
>> implemented at
>>    the Resource Server.
>> 
>> We are modeling the following flow:
>> 
>>    1. The Requesting Party (Alice) requests access to resource Foo 
>> in the
>>    Resource Server. This request DOES NOT provide an RPT.
>>    2. The Resource Server detects the absence of RPT, so it requests 
>> a
>>    Permission Ticket to Keycloak, for the Foo resource and both READ 
>> and WRITE
>>    scopes (providing a valid PAT).
>>    3. Keycloak returns a valid Permission Ticket to the Resource 
>> Server.
>>    4. The Resource Server returns the Permission Ticket (including 
>> Keycloak
>>    token URI 
>> (http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token)
>>    at WWW-Authorization header) with status code 401 to the 
>> Requesting Party.
>>    5. The Requesting Party sends the Permission Ticket (for the Foo
>>    resource and both READ and WRITE scopes) to Keycloak, in order to 
>> get a
>>    valid RPT.
>> 
>> Here is where things start to get confusing. We expected that 
>> Keycloak
>> would reject the authorization request due to failed permission 
>> evaluation
>> (Alice has READ scope for resource Foo, but DOES NOT have WRITE 
>> scope).
>> Nevertheless, Keycloak returns a valid RPT, granting permission for
>> resource Foo (just for READ scope).
>> 
>> We are aware that this behavior is UMA 2.0 compliant
>> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.html#rfc.section.3.6.4>
>> :
>> 
>> > If the value is non-null and CandidateGrantedScopes < 
>> RequestedScopes, the
>> > authorization server MUST subsequently issue either an RPT 
>> containing
>> > CandidateGrantedScopes (upgrading as appropriate; see below), or 
>> one of the
>> > error codes. The reason for the two options is that granting only 
>> partial
>> > scopes may not be useful for the client's and requesting party's 
>> purposes
>> > in seeking authorization for access.
>> 
>> 
>> But as the RFC explicitly points out, this behavior may not be 
>> useful for
>> the client. We think that the RFC is right, because this renders the 
>> client
>> unable to tell whether the authorization has been partially or 
>> completely
>> fulfilled. And consequently the Resource Server will request again a
>> Permission Ticket for the Foo resource and both READ and WRITE 
>> scopes, so
>> the whole flow will be repeated over and over again. If this is 
>> Keycloak
>> expected behavior, how can we avoid the infinite loops?
> 
> For this particular case, each scope is associated with a specific 
> HTTP method ? Can't you obtain tickets accordingly including only the 
> scopes you need ?
> 
> As you noticed, by default, Keycloak issues a RPT for any 
> resource/scope you sent along with an authorization request. Resource 
> servers (or clients sending authz requests directly without ticket) 
> should be able to ask only for specific resources/scopes.
> 
>> 
>> Another question is, when providing a valid RPT along with a 
>> Permission
>> Ticket, why Keycloak deems an RPT as upgraded = true even when the
>> requested resource has not been authorized? It returns the same RPT 
>> with
>> just jti, exp and iat updated. Since we think that the Authorization 
>> Server
>> must be the one stopping the UMA flow, should not Keycloak return a 
>> 403
>> Forbidden instead? Is this behavior configurable in any way?
>> 
>> Thank you in advance!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list