[keycloak-user] obtaining RTP by resource name

Pedro Igor Silva psilva at redhat.com
Tue Jul 2 09:08:03 EDT 2019 

You got it right. And sorry for not understanding that you are talking
about accessing "shared" resources, where the resource was granted by the
owner to a different user and you want to obtain permissions for this
resource as the user.

We changed this behavior as you can see here
https://issues.jboss.org/browse/KEYCLOAK-10020. Could you check if that
JIRA describes your problem? Also, if you can achieve what you want using
the latest version of Keycloak?

Regards.
Pedro Igor

On Tue, Jul 2, 2019 at 9:34 AM Stefanidis, Kyriakos <
kyriakos.stefanidis at fokus.fraunhofer.de> wrote:

> So, if I understand right:
>
>
>
> Regarding user managed resources
>
> Regarding RTP requests without ticket
>
>
>
> Owner of a resource:
>
> - Can get RTP for a resource by ID
>
> - Can get RTP for a resource by Name
>
> - Can get RTP for all resources (including the specific resource)
>

>
> User with access rights to a resource given by the owner:
>
> - Can get RTP for a resource by ID
>
> - Can get RTP for all resources (including the specific resource)
>
>
>
> Why is only the request by name not permitted?
>
>
>
> Kyriakos Stefanidis
>
>
>
>
>
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* 24 June 2019 15:12
> *To:* Stefanidis, Kyriakos <kyriakos.stefanidis at fokus.fraunhofer.de>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] obtaining RTP by resource name
>
>
>
> Hi,
>
>
>
> You should be able to obtain a user-owned resource by name if the bearer
> token is referencing the owner as the subject. Which version of Keycloak
> are you using?
>
>
>
> I did not find any specific test for this but adding one that does exactly
> what you described (I can be missing something though) it works as expected.
>
>
>
> On Fri, Jun 21, 2019 at 10:32 AM Stefanidis, Kyriakos <
> kyriakos.stefanidis at fokus.fraunhofer.de> wrote:
>
> Hello all,
> ...more specifically people that use keycloak authorization services.
>
> While dealing with RTPs (without permission tickets) for both user and
> centrally managed resources we encountered an inconsistent behavior and
> would like to know if it is considered a bug or works as intended (and why)
>
> The story:
>
> When a resource is owned by the resource provider (a client), you can get
> a RTP by providing either the resource id (uuid) or the resource name in
> the "permissions" parameter.
>
> Ex.
> "res1" is owned by "client.id" and given "update" scope permission to
> user "usr" via policy/permission combo
> $TOKEN is the access token for user "usr"
> curl -X POST \
>   https://something/auth/realms/something/protocol/openid-connect/token \
>   -H "Authorization: Bearer $TOKEN" \
>   --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
>   --data "audience=client.id" \
>   --data "permission=res1.id#scope" //correct RTP with "update" for "res1"
> OR
>   --data "permission=res1.name#scope" //correct RTP with "update" for
> "res1"
>
>
> When a resource is owned by a user, you can only get a RTP by providing
> the resource id (uuid) in the "permission" parameter. Requesting by name
> returns an "Resource with id [res2.name] does not exist."
>
> Ex.
> "res2" is owned by "usr" and has an "update" scope
> $TOKEN is the access token for user "usr"
>
> curl -X POST \
>   https://something/auth/realms/something/protocol/openid-connect/token \
>   -H "Authorization: Bearer $TOKEN" \
>   --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
>   --data "audience=client.id" \
>   --data "permission=res2.id#scope" //correct RTP with "update" for "res1"
> OR
>   --data "permission=res2.name#scope" //"Resource with id [res2.name]
> does not exist."
>
> The interesting thing is that If you request a RTP without specific
> "permission" property, keycloak returns the correct RTP with "update" for
> both res1 and res2 as it should.
>
> Our tests also shown that this behavior does not rely on the "user
> managed" property but only the "owner" property
>
> Is this supposed to happen?
>
> If yes, why?
>
> If no, which one of the two is the buggy behavior? The behavior for the
> user owned or the client owned resource?
>
> The main reason for this email is that the fact that you can obtain RTP
> based on resource name is immensely helpful for us since the other clients
> (other than the resource provider) cannot get the resource id from keycloak
> but they do know what they are looking for (the resource name). Not being
> able to get RTP based on resource name for user owned resources, forces us
> to use a generic RTP for all resources every time which could become a
> burden if a user can access a very large number of resources.
>
> Best regards,
> Kyriakos Stefanidis
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list