[keycloak-user] Role required to manage user consents from REST API

Dmitry Telegin dt at acutus.pro
Sun Jul 22 22:52:22 EDT 2018


Hi Paul,

Here's the method responsible for consent / offline token revocation:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java#L480

This can be further traced to o.k.services.resources.admin.permissions.UserPermissions::canManage(UserModel):
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java#L311

Long story short: currently, consents / offline tokens can be revoked
only by those allowed to manage all the users in the realm (either via
"admin" role membership or Realm > Users > Permissions) or by those
allowed to manage users in a particular group (Realm > Groups > (group)
> Permissions). That means, a user is not allowed to revoke his/her own
consents and offline tokens. This looks like a bug to me, but let's see
what the Keycloak devs say.

> Also, looking through the REST API documentation, I didn't see
> anything related to roles and authorization. Are all operations only
> accessible by users with the admin role assigned?

Not necessarily so; unfortunately, this topic is mostly undocumented,
so the only reliable way is to look into the sources (something we've
just done for consent revocation).

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-20 at 15:47 -0400, Paul Grebenc wrote:
> I have been doing some investigation with Keycloak 3.4.3.Final, and have
> noticed something that I am wondering about.
> 
> It is possible for me to request an offline token for a given user with a
> password grant, and that consent will show up for the user under the user's
> Consents tab in the admin console.
> 
> In terms of managing any granted consents (for the purpose of allowing a
> user to revoke a consent that they have granted), I have been able to do
> the following:
> 
> curl -X GET -H "Authorization: Bearer <authToken>"
> http://localhost:8080/auth/admin/realms/master/users/<userId>/consents
> <http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b54c-77c5780fd2ba/consents>
> 
> 
> This returns all current consents granted by the user.  I can then also do
> the following:
> 
> 
> curl -X DELETE -H "Authorization: Bearer <authToken>"
> http://localhost:8080/auth/admin/realms/master/users/<userId>/consents/<clientId>;
> <http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b54c-77c5780fd2ba/consents/agent-registration>
> 
> 
> This revokes the consent granted by the specified user for the specified
> client.
> 
> 
> This is good so far, but I noticed that I was only authorized to perform
> these operations as admin, and not as the user in question who has granted
> these consents.  Through experimentation, I was able to determine that if I
> add the role "admin" to the user, that user is then authorized for these
> operations.
> 
> 
> Is this intentional?  It was originally my expectation that a user who has
> granted consents should be able to view or revoke their own consents
> without having to have the admin role assigned.
> 
> 
> Also, looking through the REST API documentation, I didn't see anything
> related to roles and authorization.  Are all operations only accessible by
> users with the admin role assigned?
> 
> 
> Regards,
> 
> Paul
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list