[keycloak-user] How to get the role -> permissions for an authenticated user

[Pedro Igor Silva]

Yeah, it seems like an issue. You should get the same results.

However, what you mentioned here is not how it is supposed to work though:

"If I add to SBP1 also S2, I expect that user1 will have access to both
R1:S1 and R1:S2. However, I still get only R1:S1.
This seems like a bug."

If you have conflicting permissions, like SBP1 granting access to S1 and
S2 + SBP2 denying S2 to user1, the user should get S1 only.

I'll update the JIRA to this info and we can discuss there.

Thanks for creating the issue.

On Mon, Jun 3, 2019 at 12:55 PM Ori Doolman <Ori.Doolman at cyberark.com>
wrote:

> Hi Pedro,
>
> Did you check this?
> I have created a Jira issue:
> https://issues.jboss.org/browse/KEYCLOAK-10443
>
> Thanks ,
> Ori.
>
>
> -----Original Message-----
> From: Ori Doolman
> Sent: Saturday, June 1, 2019 12:10 AM
> To: Ori Doolman <Ori.Doolman at cyberark.com>; Pedro Igor Silva <
> psilva at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: RE: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> Hi Pedro,
>
> I almost got it all working, but I think I bumped into bug... :( Please
> confirm if this is a bug or an expected behavior.
> I'm using latest Keycloak v6.01. I believe you can reproduce it as well.
>
> I have created:
> 1. Resource R with scopes S1, S2.
> 2. User based policy P1 for user1
> 3. User based policy P2 for user2
> 4. scope-based permission SBP1 for R1+S1 mapped to policy P1  (granting
> user1 access to R1:S1) 5. scope-based permission SBP2 for R1+S2 mapped to
> policy P2  (granting user2 access to R1:S2)
>
> When I request an RTP, everything is as expected. User1 token returns
> R1:S1 and user2 token returns R1:S2.
>
> But, if I add to SBP1 also S2, I expect that user1 will have access to
> both R1:S1 and R1:S2. However, I still get only R1:S1.
> This seems like a bug.
>
> If I revert the change and add to SBP2 also S1, I expect that user2 will
> have access to both R1:S1 and R1:S2. However, in this case I get
> access_denied and no scopes at all.
> This is really inconsistent and seems like a bug.
>
>
>
> Here is how I send the RPT request:
>
> POST /auth/realms/epm-account1/protocol/openid-connect/token HTTP/1.1
> Host: localhost:8180
> Content-Type: application/x-www-form-urlencoded
> Authorization: Bearer <myToken>
> User-Agent: PostmanRuntime/7.13.0
> Accept: */*
> Cache-Control: no-cache
> Postman-Token:
> ca36fc4e-d551-4525-a406-9afe674b1312,3731c4f2-6e71-475d-a6bf-171b6dc6b0cc
> Host: localhost:8180
> accept-encoding: gzip, deflate
> content-length: 99
> Connection: keep-alive
> cache-control: no-cache
>
>
> grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&audience=epm-web&permission=R1
>
>
>
> Please check that.
>
> Thanks,
> Ori.
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> On Behalf Of Ori Doolman
> Sent: Friday, May 31, 2019 8:48 PM
> To: Pedro Igor Silva <psilva at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> Pedro,
>
>
>   1.  How do I obtain the pushed claims in my JS policy code? Is it by
> $evaluation.getContext().getAttribes() ?
> Do you have an example?
>   2.  Is there any way to debug the JS policy? Or at least print to logs
> from the policy code?
>
> Ori.
>
>
> From: Pedro Igor Silva <psilva at redhat.com>
> Sent: Friday, May 31, 2019 8:32 PM
> To: Ori Doolman <Ori.Doolman at cyberark.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> Here it is
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_authorization-5Fservices_index.html-23-5Fservice-5Fpushing-5Fclaims&d=DwIGaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=mENXb5Bdwuq4jDZ4om9xiFtVy2nUvbmifEzSL0VNmew&s=r9TiD3Glkd7ZsS7Ariwvs4caS0Z-Z4M2qWzZ29ymRw4&e=
> <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_authorization-5Fservices_index.html-23-5Fservice-5Fpushing-5Fclaims&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=VpmEgxz6IZ1he2ux3cbu2pAyhj-nfSMnGDRLVwx_yTE&s=e7b4-UeT69rQhxr9i27zb8tg7U6glgVtrW-mN4_1-ig&e=
> >.
>
> FYI, you can also use client roles in your policies.
>
> On Fri, May 31, 2019 at 11:14 AM Ori Doolman <Ori.Doolman at cyberark.com
> <mailto:Ori.Doolman at cyberark.com>> wrote:
> We have thousands of accounts , therefore option 1 is not feasible.
> As for 2nd option, if I configure accounts as resource, and my app's
> permissions as scopes per account/resource (all 200 app's permissions), I
> expect to get in RPT different permissions if I am user A role R1 or user B
> role R2. In the same time, user A has difderent role on other account. This
> is why I cannot use realm roles.
> Is there any way to push claims when I request for an RPT?
> The only thing I saw is requesting for specific permission/scope.
> What I'm really missing in KC is a way to represent this relatively simple
> model of different user permissions per account.
> (Users and accounts relation is Many to many).
>
>
>
> Get Outlook for Android<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=VpmEgxz6IZ1he2ux3cbu2pAyhj-nfSMnGDRLVwx_yTE&s=zsNuqb67PJ74IM1TKTvQ6rV-pzSG6efFQiP6W_cMHdo&e=
> >
>
> From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
> Sent: Friday, May 31, 2019 1:02:05 PM
> To: Ori Doolman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> I see. In this case, you could write a JS policy that checks both the
> account and the role. Where the account could be passed to your policy as a
> claim. The issue here is that you will end up with a quite huge policy
> depending on how many accounts you have.
> The second approach would be to manage accounts as resources and have
> those permissions for each resource. You would need to provisioning logic
> in your application to create the resource + permissions when a new account
> is created. Permissions could then be obtained based on a per-account basis.
> On Thu, May 30, 2019 at 6:58 PM Ori Doolman < Ori.Doolman at cyberark.com
> <mailto:Ori.Doolman at cyberark.com>> wrote:
> Thanks Pedro,
> But the definition below is exactly what I tried to do and got stuck.
> This is because the “manager permissions” (A, B, C) is given only for role
> manager and *for account 1*.  For account 2, the same user will have
> totally different permissions.
> I don’t have the accounts configured in Keycloak.
> Even if I configure an account as a resource, this account will have
> scopes X,Y,Z for user 1 and scopes A, B, C  for user 2.
>
> See my problem?
>
> Ori.
>
>
> From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
> Sent: Friday, May 31, 2019 12:51 AM
> To: Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com
> >>
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> Would be the account a resource and permissions their corresponding
> scopes/actions that can be performed on an account ?
>
> If a role implies access to some scopes/actions you can perform on an
> account (which is a resource), you could write "scope-based policies" such
> as:
>
> * "Manager Permission" is defined for scopes A, B and C with a role-policy
> that enforces "manager" role
> * "Regular Permission" is defined for scopes X, Y and Z with a role-policy
> that enforces "regular" role
>
> With this setup, if the user has both manager and regular roles access
> shall be granted to account and scopes A, B, C, X, Y, and Z. Otherwise, the
> scopes granted will depend on the role assigned to the user.
>
> On Thu, May 30, 2019 at 6:29 PM Ori Doolman <Ori.Doolman at cyberark.com
> <mailto:Ori.Doolman at cyberark.com>> wrote:
> Hi Pedro and all,
> I managed to use get an RPT given an access token.
> My problem is that I cannot find a good way to model my application's
> permission in Keycloak.
> Maybe you or someone else can help with that, since I think it is a pretty
> standard model:
> I have many "accounts" and many users.
> I have several roles in my application, each represents a set of allowed
> permissions.
> Each user is assigned a role *per account*.
> That means that one user can be a "manager" user for account 1 (with
> effective permissions a,b,c) and a "regular" user for account 2 (with
> effective permissions x, y, z).
> So as you see, my user roles (and permissions) is always in the context of
> an account.
> This is why I cannot just configure static client roles and use them for
> policies. My permissions always depend on the data, the account context.
> What is the best way (if any) to model this kind of permissions in
> Keycloak?
> Thanks,
> Ori.
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org<mailto:
> keycloak-user-bounces at lists.jboss.org> <
> keycloak-user-bounces at lists.jboss.org<mailto:
> keycloak-user-bounces at lists.jboss.org>> On Behalf Of Ori Doolman
> Sent: Thursday, May 23, 2019 9:35 PM
> To: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user Ok Pedro, I think I got it. Thanks a lot for thr
> clarification.
> My current plan is to make the exchange in API-GW.
> I get 2 advantages:
> 1) No change in client application and no need to involve client with
> server side authorization.
> 2) I need to make sure access token is still valid and user did not
> performed logout. API-GW seems the correct place to do that. So in a single
> call to KC I get both token validation and token exchange.
> I will try that and update the forum if succeeded. I think this is a
> typical classic deployment and such a documented solution can assist a lot
> of people.
> Ori.
> Get Outlook for Android<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=hiPvWoZ4YnB3lDZZxL_d8b-vGB5H0to2rJICMngePqY&e=
> > ________________________________
> From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
> Sent: Thursday, May 23, 2019 6:58:41 PM
> To: Ori Doolman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
>
> On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com
> <mailto:Ori.Doolman at cyberark.com><mailto:Ori.Doolman at cyberark.com<mailto:
> Ori.Doolman at cyberark.com>>> wrote:
> Hi Pedro,
> Thanks for the prompt response :)
> Yes, I need RBAC only at the moment.
> When you said my web application should make the token exchange, do you
> mean client side (javascript ) or server side?
> Client-side
> I can also make it from API-GW which is even better I think. what is the
> common practice to send it to the server? I cannot use the Authorization
> header since it alteady contains the access token.
>
> Not sure if API-GW is better but you can replace the access token with
> permissions (sent by the client) in the authorization header. It is just an
> access token + permissions. Pretty much the original + permissions.
>
> Also, it means that I will have to make this call once per session (after
> login) rather than once in a process lifetime, since the roles->permissions
> mapping is pretty much static information.
> It doesn't sounds like the optimal approach.
> Yes, you would need a per session exchange.
>
> Ori.
> Get Outlook for Android<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e=
> >
> ________________________________
> From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com
> ><mailto:psilva at redhat.com<mailto:psilva at redhat.com>>>
> Sent: Thursday, May 23, 2019 5:49:11 PM
> To: Ori Doolman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user There is no way to automatically set the permissions
> (from a client authorization settings) when an access token is issued. Like
> you said, you need another call to the token endpoint using the
> uma-grant-type.
> However, your web application will make that call only once in order to
> exchange the access token with another one with the permissions you need to
> access your backend. Your client should also be able to perform incremental
> authorization and limit the numbers of permissions within the token.
> Using a pure RBAC approach also works for your case, I think. Although you
> are limited to RBAC (thus tied with the roles you are using to protect
> resources) and not able to use resource-based authorization.
> On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com
> <mailto:Ori.Doolman at cyberark.com><mailto:Ori.Doolman at cyberark.com<mailto:
> Ori.Doolman at cyberark.com>>> wrote:
> Hi,
> I have a web application (Angular) which calls a REST API in a Java
> microservice.
> In my application, which manages books, I have a "regular" and "admin"
> roles.
> "regular" is allowed to execute API readBook.
> "admin" is allowed to execute APIs readBook, deleteBook, createBook.
> The mapping between the user roles to the permissions (book:read ,
> book:create, book:delete) is currently in my app DB. I guess I can migrate
> all roles and permissions into Keycloak using the
> resources/permissions/policies entities.
> I get an access token in the client (using code flow or implicit flow).
> The token contains the current user roles. But not the permissions.
> When I call my REST API I send the access token to my REST endpoint in the
> http header. The token contains the user roles, but not the user
> permissions. In fact, what I really need is the user permissions for
> checking authorization.
>
>
>   1.  What is the best practice of getting the user permissions in my REST
> service? Can I have them become part of the JWT access token when the token
> is created?
> Or is there any other recommended way to "map" the roles into the
> effective permissions at runtime?
> Maybe keep the role->permissions in my current DB and load them to service
> cache ?
>   2.  I want to avoid calling Keycloak for every REST API call because
> this will result bad performance. From what I read, if I want to use
> Keycloak authorization services I must call Keycloak for every API request
> and get the permissions (an RPT token). Is that the only way?
>
>
>   1.  Another alternative I thought of:
> have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles
> "book:read" , "book:create", "book:delete" and for the "Regulars" group I
> will add only "book:read" role.
> This way, if a user belongs to the admins group, he will have all the
> permissions (roles) in the JWT access token.
>
> Thanks,
> Ori.
> ----------------------------------------------------------------------
> _______________________________________________
> This e-mail may contain information that is confidential, privileged or
> otherwise protected from disclosure.
> If you are not an intended recipient of this e-mail, do not duplicate or
> redistribute it by any means. Please delete it and any attachments and
> notify the sender that you have received it in error.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org>>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=
> <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=mENXb5Bdwuq4jDZ4om9xiFtVy2nUvbmifEzSL0VNmew&s=x__KjPALrAcG7r37jUZN413sy1vZuicMESK4aIunX8Y&e=
>