[keycloak-user] Bug? Shared UMA resource not accessible

Ulrik Sjölin ulrik.sjolin at gmail.com
Fri Nov 2 11:39:44 EDT 2018


Hello there,

I wonder if anyone is experiencing this problem and if anyone out
there has a workaround (I am running 4.5.0).

The problem I have comes up in a really simple situation:
JDoe has 1 resource (JDoeResource) that he shares with Alice (scope:
JDoeScope).

Alice tries to access that resource with
permission=JDoeResource#JDoeScope. This fails with a “400 bad request”
when
it should return the resource in question. I wonder if this is
[KEYCLOAK-8448] that I am seeing.

When alice tries to access the resource with
permission=<JDoeResource-ID>#JDoeScope or by just specifying
permission=#JDoeScope
everything works fine.

Below there is a small script that recreates and demonstrates the problem.

Any help in this matter would be greatly appreciated.

Best Regards,

Ulrik Sjölin


In order to run the script below you need to have the tools ‘jwt-cli’
and ‘jq’ installed.

#!/bin/bash
export host=keycloak
export port=8080
export realm=myrealm
export resource_server_client_id=my-service
export resource_server_client_secret=88888888-8888-8888-8888-888888888888
export username=alice
export password=alice
export resource_owner=jdoe
export resource_name=JDoeResource
export scope=JDoeScope

export access_token=\
`curl --silent \
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
-d client_id=${resource_server_client_id} \
-d client_secret=${resource_server_client_secret} \
-d username=${username} \
-d password=${password} \
-d grant_type=password \
| jq -r ".access_token"`

export result=\
`curl --silent -X GET \
http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set?name=${resource_name}
\
-H "Authorization: Bearer ${access_token}" \
| jq -r ".[0]"`

if [ "$result" = "null" ]; then
export new_id=`curl --silent -X POST \
http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set \
-H "content-type: application/json" \
-H "Authorization: Bearer ${access_token}" \
--data @<(cat <{
"name":"${resource_name}",
"type":"Entities",
"owner":"${resource_owner}",
"ownerManagedAccess":"true",
"resource_scopes":["JDoeScope"]
}
EOF
) | jq -r "._id"`

echo "Created resource with id: ${new_id}"
echo "Log in with user ${resource_owner} into keycloak"
echo "and share ${resource_name} with ${username}"
echo "When that is done, run this script again"
else
echo "Found resource with id: ${result}"
resource_id=$result
fi

export result=\
`curl --silent -X POST \
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
-H "Authorization: Bearer ${access_token}" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=${resource_server_client_id}" \
--data "permission=#${scope}" \
| jq -r ".access_token"`

export result=`jwt $result | grep ${resource_name}`
echo "permission=#${scope}: ${result}"

export result=\
`curl --silent -X POST \
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
-H "Authorization: Bearer ${access_token}" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=${resource_server_client_id}" \
--data "permission=${resource_id}#${scope}" \
| jq -r ".access_token"`

export result=`jwt $result | grep ${resource_name}`
echo "permission=${resource_id}#${scope}: $result"

export result=\
`curl --silent -X POST \
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
-H "Authorization: Bearer ${access_token}" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=${resource_server_client_id}" \
--data "permission=${resource_name}#${scope}" \
| jq -r ".access_token"`

export result=`jwt $result | grep ${resource_name}`
echo "permission=${resource_name}#${scope}: ${result}"



More information about the keycloak-user mailing list