[keycloak-user] Questions about Keycloak UMA 2.0 implementation

Pedro Igor Silva psilva at redhat.com
Fri Jul 13 08:26:57 EDT 2018


I see. Just to make sure we are aligned. The changes I'm proposing are more
aligned with spec and provide:

* Only mark RPT as upgraded if ALL permissions granted by a previous RPT
were granted
* DENY authorization requests in case you are sending a previous issued RPT
and ANY additional permissions in a ticket are DENIED.
* Still keep current behavior where the server may grant additional
permissions even though you requested only a sub set of them. E.g.: You ask
for source "foo" + scope "a" and the server may grant resource "foo" +
scope "a" and "b".

On Fri, Jul 13, 2018 at 5:17 AM, Francisco José Bermejo Herrera <
francisco.bermejo.herrera at tecsisa.com> wrote:

> If Keycloak behavior is changed according to your proposal described in
> your previous message, then there shouldn't be any problem with authz
> requests in our model.
>
> It is true that the scopes described in our example are a bit misleading.
> Think about something like READ and READ-PREMIUM instead, used at a GET
> endpoint, and the Resource Server just checks whether one of these scopes
> is contained in the RPT, returning a ticket with READ and READ-PREMIUM when
> none of them has been provided. When the Client requests the new RPT by
> using the ticket, Keycloak would return a RPT including either READ or
> READ-PREMIUM, or 403 Forbidden.
>
> As I said before, this is perfectly aligned with the new Keycloak behavior.
>
> On jue, jul 12, 2018 at 7:35 , Pedro Igor Silva <psilva at redhat.com> wrote:
>
>
>
> On Tue, Jul 10, 2018 at 6:22 AM, Francisco José Bermejo Herrera <
> francisco.bermejo.herrera at tecsisa.com> wrote:
>
>> Hello, we are testing Keycloak 4.1.0.Final for authentication and
>> authorization (UMA 2.0 flow).
>>
>> Some assumptions:
>>
>>    - The Resource Server owns the resource Foo, and protects it by using
>>    two scope-based permissions, one requiring READ scope, and the other
>> one
>>    requiring WRITE scope.
>>    - User Alice has been granted READ scope for resource Foo.
>>    - We are not using Policy Enforcers. Enforcement will be implemented at
>>    the Resource Server.
>>
>> We are modeling the following flow:
>>
>>    1. The Requesting Party (Alice) requests access to resource Foo in the
>>    Resource Server. This request DOES NOT provide an RPT.
>>    2. The Resource Server detects the absence of RPT, so it requests a
>>    Permission Ticket to Keycloak, for the Foo resource and both READ and
>> WRITE
>>    scopes (providing a valid PAT).
>>    3. Keycloak returns a valid Permission Ticket to the Resource Server.
>>    4. The Resource Server returns the Permission Ticket (including
>> Keycloak
>>    token URI (http://${host}:${port}/auth/realms/${realm}/protocol/openid
>> -connect/token)
>>    at WWW-Authorization header) with status code 401 to the Requesting
>> Party.
>>    5. The Requesting Party sends the Permission Ticket (for the Foo
>>    resource and both READ and WRITE scopes) to Keycloak, in order to get a
>>    valid RPT.
>>
>> Here is where things start to get confusing. We expected that Keycloak
>> would reject the authorization request due to failed permission evaluation
>> (Alice has READ scope for resource Foo, but DOES NOT have WRITE scope).
>> Nevertheless, Keycloak returns a valid RPT, granting permission for
>> resource Foo (just for READ scope).
>>
>> We are aware that this behavior is UMA 2.0 compliant
>> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.
>> html#rfc.section.3.6.4>
>> :
>>
>> > If the value is non-null and CandidateGrantedScopes < RequestedScopes,
>> the
>> > authorization server MUST subsequently issue either an RPT containing
>> > CandidateGrantedScopes (upgrading as appropriate; see below), or one of
>> the
>> > error codes. The reason for the two options is that granting only
>> partial
>> > scopes may not be useful for the client's and requesting party's
>> purposes
>> > in seeking authorization for access.
>>
>>
>> But as the RFC explicitly points out, this behavior may not be useful for
>> the client. We think that the RFC is right, because this renders the
>> client
>> unable to tell whether the authorization has been partially or completely
>> fulfilled. And consequently the Resource Server will request again a
>> Permission Ticket for the Foo resource and both READ and WRITE scopes, so
>> the whole flow will be repeated over and over again. If this is Keycloak
>> expected behavior, how can we avoid the infinite loops?
>>
>
> For this particular case, each scope is associated with a specific HTTP
> method ? Can't you obtain tickets accordingly including only the scopes you
> need ?
>
> As you noticed, by default, Keycloak issues a RPT for any resource/scope
> you sent along with an authorization request. Resource servers (or clients
> sending authz requests directly without ticket) should be able to ask only
> for specific resources/scopes.
>
>
>>
>> Another question is, when providing a valid RPT along with a Permission
>> Ticket, why Keycloak deems an RPT as upgraded = true even when the
>> requested resource has not been authorized? It returns the same RPT with
>> just jti, exp and iat updated. Since we think that the Authorization
>> Server
>> must be the one stopping the UMA flow, should not Keycloak return a 403
>> Forbidden instead? Is this behavior configurable in any way?
>>
>> Thank you in advance!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list