[keycloak-user] obtaining RTP by resource name

Stefanidis, Kyriakos kyriakos.stefanidis at fokus.fraunhofer.de
Tue Jul 2 09:11:13 EDT 2019 

Aha. It seems fixed in 6.0.0 and we are still using 4.8.3.Final
Time for an upgrade!

Thanks for all the help ☺

Kyriakos Stefanidis


From: Pedro Igor Silva <psilva at redhat.com>
Sent: 02 July 2019 15:08
To: Stefanidis, Kyriakos <kyriakos.stefanidis at fokus.fraunhofer.de>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] obtaining RTP by resource name

You got it right. And sorry for not understanding that you are talking about accessing "shared" resources, where the resource was granted by the owner to a different user and you want to obtain permissions for this resource as the user.

We changed this behavior as you can see here https://issues.jboss.org/browse/KEYCLOAK-10020. Could you check if that JIRA describes your problem? Also, if you can achieve what you want using the latest version of Keycloak?

Regards.
Pedro Igor

On Tue, Jul 2, 2019 at 9:34 AM Stefanidis, Kyriakos <kyriakos.stefanidis at fokus.fraunhofer.de<mailto:kyriakos.stefanidis at fokus.fraunhofer.de>> wrote:
So, if I understand right:

Regarding user managed resources
Regarding RTP requests without ticket

Owner of a resource:
- Can get RTP for a resource by ID
- Can get RTP for a resource by Name
- Can get RTP for all resources (including the specific resource)

User with access rights to a resource given by the owner:
- Can get RTP for a resource by ID
- Can get RTP for all resources (including the specific resource)

Why is only the request by name not permitted?

Kyriakos Stefanidis


From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: 24 June 2019 15:12
To: Stefanidis, Kyriakos <kyriakos.stefanidis at fokus.fraunhofer.de<mailto:kyriakos.stefanidis at fokus.fraunhofer.de>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] obtaining RTP by resource name

Hi,

You should be able to obtain a user-owned resource by name if the bearer token is referencing the owner as the subject. Which version of Keycloak are you using?

I did not find any specific test for this but adding one that does exactly what you described (I can be missing something though) it works as expected.

On Fri, Jun 21, 2019 at 10:32 AM Stefanidis, Kyriakos <kyriakos.stefanidis at fokus.fraunhofer.de<mailto:kyriakos.stefanidis at fokus.fraunhofer.de>> wrote:
Hello all,
...more specifically people that use keycloak authorization services.

While dealing with RTPs (without permission tickets) for both user and centrally managed resources we encountered an inconsistent behavior and would like to know if it is considered a bug or works as intended (and why)

The story:

When a resource is owned by the resource provider (a client), you can get a RTP by providing either the resource id (uuid) or the resource name in the "permissions" parameter.

Ex.
"res1" is owned by "client.id<http://client.id>" and given "update" scope permission to user "usr" via policy/permission combo
$TOKEN is the access token for user "usr"
curl -X POST \
  https://something/auth/realms/something/protocol/openid-connect/token \
  -H "Authorization: Bearer $TOKEN" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "audience=client.id<http://client.id>" \
  --data "permission=res1.id#scope<http://res1.id#scope>" //correct RTP with "update" for "res1"
OR
  --data "permission=res1.name#scope<http://res1.name#scope>" //correct RTP with "update" for "res1"


When a resource is owned by a user, you can only get a RTP by providing the resource id (uuid) in the "permission" parameter. Requesting by name returns an "Resource with id [res2.name<http://res2.name>] does not exist."

Ex.
"res2" is owned by "usr" and has an "update" scope
$TOKEN is the access token for user "usr"

curl -X POST \
  https://something/auth/realms/something/protocol/openid-connect/token \
  -H "Authorization: Bearer $TOKEN" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "audience=client.id<http://client.id>" \
  --data "permission=res2.id#scope<http://res2.id#scope>" //correct RTP with "update" for "res1"
OR
  --data "permission=res2.name#scope<http://res2.name#scope>" //"Resource with id [res2.name<http://res2.name>] does not exist."

The interesting thing is that If you request a RTP without specific "permission" property, keycloak returns the correct RTP with "update" for both res1 and res2 as it should.

Our tests also shown that this behavior does not rely on the "user managed" property but only the "owner" property

Is this supposed to happen?
If yes, why?
If no, which one of the two is the buggy behavior? The behavior for the user owned or the client owned resource?

The main reason for this email is that the fact that you can obtain RTP based on resource name is immensely helpful for us since the other clients (other than the resource provider) cannot get the resource id from keycloak but they do know what they are looking for (the resource name). Not being able to get RTP based on resource name for user owned resources, forces us to use a generic RTP for all resources every time which could become a burden if a user can access a very large number of resources.

Best regards,
Kyriakos Stefanidis
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list