[keycloak-user] Questions about Keycloak UMA 2.0 implementation
Francisco José Bermejo Herrera
francisco.bermejo.herrera at tecsisa.com
Fri Jul 13 08:47:29 EDT 2018
We're OK with all your changes. But, just a quick remark, you say:
> Still keep current behavior where the server may grant additional
> permissions even though you requested only a sub set of them. E.g.:
> You ask for source "foo" + scope "a" and the server may grant
> resource "foo" + scope "a" and "b".
IMHO this isn't the current behavior, since if you ask for resource
"foo" + scope "a", the server grants "foo" + scope "a". But, it is true
that if you ask for resource "foo" + any scope (by leaving scope
empty), the server may grant you resource "foo" + scope "a" and "b".
For example:
- Ticket request (just "read" scope)
> POST /auth/realms/TestRealm/authz/protection/permission HTTP/1.1
> Host: 127.0.0.1:8080
> Content-Type: application/json
> Authorization: Bearer eyJ...
> [
> {"resource_id": "fooresources", "resource_scopes": ["read"]}
> ]
- RPT issued using the ticket (note: Alice has permissions for both
"read" and "write" scopes)
> {
> "jti": "2a8a98ed-f058-4d4d-8321-1501896f773d",
> "exp": 1531489206,
> "nbf": 0,
> "iat": 1531485606,
> "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
> "aud": "auth-demo-ws",
> "sub": "4c3b0694-c1fe-405a-ac35-d4cf9e14aabd",
> "typ": "Bearer",
> "azp": "auth-demo-webapp",
> "auth_time": 0,
> "session_state": "34a4ec1e-9bd3-4413-b785-ae0dda7287d6",
> "acr": "1",
> "allowed-origins": [],
> "realm_access": {
> "roles": [
> "offline_access",
> "uma_authorization"
> ]
> },
> "resource_access": {
> "auth-demo-webapp": {
> "roles": [
> "owner"
> ]
> },
> "auth-demo-ws": {
> "roles": [
> "fooresource-reader",
> "fooresource-writer"
> ]
> }
> },
> "authorization": {
> "permissions": [
> {
> "scopes": [
> "read"
> ],
> "rsid": "dbc5e6a1-d65a-4510-b354-d12b8dd67dc2",
> "rsname": "fooresources"
> }
> ]
> },
> "scope": "email profile",
> "tenant_id": "12345",
> "email_verified": true,
> "roles": [
> "role_owner"
> ],
> "name": "Alice Brown",
> "groups": [
> "/auth-demo/admin"
> ],
> "preferred_username": "alice",
> "given_name": "Alice",
> "family_name": "Brown",
> "email": "alice at test.com"
> }
On vie, jul 13, 2018 at 2:26 , Pedro Igor Silva <psilva at redhat.com>
wrote:
> I see. Just to make sure we are aligned. The changes I'm proposing
> are more aligned with spec and provide:
>
> * Only mark RPT as upgraded if ALL permissions granted by a previous
> RPT were granted
> * DENY authorization requests in case you are sending a previous
> issued RPT and ANY additional permissions in a ticket are DENIED.
> * Still keep current behavior where the server may grant additional
> permissions even though you requested only a sub set of them. E.g.:
> You ask for source "foo" + scope "a" and the server may grant
> resource "foo" + scope "a" and "b".
>
> On Fri, Jul 13, 2018 at 5:17 AM, Francisco José Bermejo Herrera
> <francisco.bermejo.herrera at tecsisa.com> wrote:
>> If Keycloak behavior is changed according to your proposal described
>> in your previous message, then there shouldn't be any problem with
>> authz requests in our model.
>>
>> It is true that the scopes described in our example are a bit
>> misleading. Think about something like READ and READ-PREMIUM
>> instead, used at a GET endpoint, and the Resource Server just checks
>> whether one of these scopes is contained in the RPT, returning a
>> ticket with READ and READ-PREMIUM when none of them has been
>> provided. When the Client requests the new RPT by using the ticket,
>> Keycloak would return a RPT including either READ or READ-PREMIUM,
>> or 403 Forbidden.
>>
>> As I said before, this is perfectly aligned with the new Keycloak
>> behavior.
>>
>> On jue, jul 12, 2018 at 7:35 , Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>>
>>>
>>> On Tue, Jul 10, 2018 at 6:22 AM, Francisco José Bermejo Herrera
>>> <francisco.bermejo.herrera at tecsisa.com> wrote:
>>>> Hello, we are testing Keycloak 4.1.0.Final for authentication and
>>>> authorization (UMA 2.0 flow).
>>>>
>>>> Some assumptions:
>>>>
>>>> - The Resource Server owns the resource Foo, and protects it by
>>>> using
>>>> two scope-based permissions, one requiring READ scope, and the
>>>> other one
>>>> requiring WRITE scope.
>>>> - User Alice has been granted READ scope for resource Foo.
>>>> - We are not using Policy Enforcers. Enforcement will be
>>>> implemented at
>>>> the Resource Server.
>>>>
>>>> We are modeling the following flow:
>>>>
>>>> 1. The Requesting Party (Alice) requests access to resource Foo
>>>> in the
>>>> Resource Server. This request DOES NOT provide an RPT.
>>>> 2. The Resource Server detects the absence of RPT, so it
>>>> requests a
>>>> Permission Ticket to Keycloak, for the Foo resource and both
>>>> READ and WRITE
>>>> scopes (providing a valid PAT).
>>>> 3. Keycloak returns a valid Permission Ticket to the Resource
>>>> Server.
>>>> 4. The Resource Server returns the Permission Ticket (including
>>>> Keycloak
>>>> token URI
>>>> (http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token)
>>>> at WWW-Authorization header) with status code 401 to the
>>>> Requesting Party.
>>>> 5. The Requesting Party sends the Permission Ticket (for the Foo
>>>> resource and both READ and WRITE scopes) to Keycloak, in order
>>>> to get a
>>>> valid RPT.
>>>>
>>>> Here is where things start to get confusing. We expected that
>>>> Keycloak
>>>> would reject the authorization request due to failed permission
>>>> evaluation
>>>> (Alice has READ scope for resource Foo, but DOES NOT have WRITE
>>>> scope).
>>>> Nevertheless, Keycloak returns a valid RPT, granting permission for
>>>> resource Foo (just for READ scope).
>>>>
>>>> We are aware that this behavior is UMA 2.0 compliant
>>>> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.html#rfc.section.3.6.4>
>>>> :
>>>>
>>>> > If the value is non-null and CandidateGrantedScopes <
>>>> RequestedScopes, the
>>>> > authorization server MUST subsequently issue either an RPT
>>>> containing
>>>> > CandidateGrantedScopes (upgrading as appropriate; see below), or
>>>> one of the
>>>> > error codes. The reason for the two options is that granting
>>>> only partial
>>>> > scopes may not be useful for the client's and requesting party's
>>>> purposes
>>>> > in seeking authorization for access.
>>>>
>>>>
>>>> But as the RFC explicitly points out, this behavior may not be
>>>> useful for
>>>> the client. We think that the RFC is right, because this renders
>>>> the client
>>>> unable to tell whether the authorization has been partially or
>>>> completely
>>>> fulfilled. And consequently the Resource Server will request again
>>>> a
>>>> Permission Ticket for the Foo resource and both READ and WRITE
>>>> scopes, so
>>>> the whole flow will be repeated over and over again. If this is
>>>> Keycloak
>>>> expected behavior, how can we avoid the infinite loops?
>>>
>>> For this particular case, each scope is associated with a specific
>>> HTTP method ? Can't you obtain tickets accordingly including only
>>> the scopes you need ?
>>>
>>> As you noticed, by default, Keycloak issues a RPT for any
>>> resource/scope you sent along with an authorization request.
>>> Resource servers (or clients sending authz requests directly
>>> without ticket) should be able to ask only for specific
>>> resources/scopes.
>>>
>>>>
>>>> Another question is, when providing a valid RPT along with a
>>>> Permission
>>>> Ticket, why Keycloak deems an RPT as upgraded = true even when the
>>>> requested resource has not been authorized? It returns the same
>>>> RPT with
>>>> just jti, exp and iat updated. Since we think that the
>>>> Authorization Server
>>>> must be the one stopping the UMA flow, should not Keycloak return
>>>> a 403
>>>> Forbidden instead? Is this behavior configurable in any way?
>>>>
>>>> Thank you in advance!
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
More information about the keycloak-user
mailing list