[keycloak-user] Role required to manage user consents from REST API

Tue Jul 24 14:20:17 EDT 2018

 Thank you, this is useful information.

If it is currently not possible for a normal user to view or revoke
consents on their own authority, a workaround could probably be to set up a
service associated with a client in Keycloak that does have the authority
to perform these operations, and then it will be responsible for
restricting what it allows based on the identity of its callers.

Regards,
Paul

On Sun, Jul 22, 2018 at 10:52 PM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Paul,
>
> Here's the method responsible for consent / offline token revocation:
> https://github.com/keycloak/keycloak/blob/master/services/
> src/main/java/org/keycloak/services/resources/admin/UserResource.java#L480
>
> This can be further traced to o.k.services.resources.admin.
> permissions.UserPermissions::canManage(UserModel):
> https://github.com/keycloak/keycloak/blob/master/services/
> src/main/java/org/keycloak/services/resources/admin/
> permissions/UserPermissions.java#L311
>
> Long story short: currently, consents / offline tokens can be revoked
> only by those allowed to manage all the users in the realm (either via
> "admin" role membership or Realm > Users > Permissions) or by those
> allowed to manage users in a particular group (Realm > Groups > (group)
> > Permissions). That means, a user is not allowed to revoke his/her own
> consents and offline tokens. This looks like a bug to me, but let's see
> what the Keycloak devs say.
>
> > Also, looking through the REST API documentation, I didn't see
> > anything related to roles and authorization. Are all operations only
> > accessible by users with the admin role assigned?
>
> Not necessarily so; unfortunately, this topic is mostly undocumented,
> so the only reliable way is to look into the sources (something we've
> just done for consent revocation).
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-07-20 at 15:47 -0400, Paul Grebenc wrote:
> > I have been doing some investigation with Keycloak 3.4.3.Final, and have
> > noticed something that I am wondering about.
> >
> > It is possible for me to request an offline token for a given user with a
> > password grant, and that consent will show up for the user under the
> user's
> > Consents tab in the admin console.
> >
> > In terms of managing any granted consents (for the purpose of allowing a
> > user to revoke a consent that they have granted), I have been able to do
> > the following:
> >
> > curl -X GET -H "Authorization: Bearer <authToken>"
> > http://localhost:8080/auth/admin/realms/master/users/<userId>/consents
> > <http://localhost:8080/auth/admin/realms/master/users/
> 38454015-6ab7-4880-b54c-77c5780fd2ba/consents>
> >
> >
> > This returns all current consents granted by the user.  I can then also
> do
> > the following:
> >
> >
> > curl -X DELETE -H "Authorization: Bearer <authToken>"
> > http://localhost:8080/auth/admin/realms/master/users/<
> userId>/consents/<clientId>;
> > <http://localhost:8080/auth/admin/realms/master/users/
> 38454015-6ab7-4880-b54c-77c5780fd2ba/consents/agent-registration>
> >
> >
> > This revokes the consent granted by the specified user for the specified
> > client.
> >
> >
> > This is good so far, but I noticed that I was only authorized to perform
> > these operations as admin, and not as the user in question who has
> granted
> > these consents.  Through experimentation, I was able to determine that
> if I
> > add the role "admin" to the user, that user is then authorized for these
> > operations.
> >
> >
> > Is this intentional?  It was originally my expectation that a user who
> has
> > granted consents should be able to view or revoke their own consents
> > without having to have the admin role assigned.
> >
> >
> > Also, looking through the REST API documentation, I didn't see anything
> > related to roles and authorization.  Are all operations only accessible
> by
> > users with the admin role assigned?
> >
> >
> > Regards,
> >
> > Paul
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>