[keycloak-user] authorizationSettings not in response

Ori Doolman Ori.Doolman at cyberark.com
Sun Jun 16 06:39:11 EDT 2019


Pedro,
Please ignore 2nd question. It seems to work well with partial name after all.
So only the first one remains - is that a bug?

Ori.

________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Ori Doolman <Ori.Doolman at cyberark.com>
Sent: Sunday, June 16, 2019 1:04 PM
To: Pedro Igor Silva; Rafael Tovar.
Cc: keycloak-user
Subject: Re: [keycloak-user] authorizationSettings not in response

Pedo,
When I call the authz/resource-server/settings endpoint, I get the full list of all entities.
That works great if I later want to update the settings using the /authz/resource-server/import endpoint.

But  /settings might become too big and I only want to update my permissions (specific ones, actually).
Hence, I call the /policy endpoint.
But then I get partial entity information for the scope-based permission, not similar to the one I get with /settings. The "config" object data is missing.

1) Is that a bug? You can see below both payloads.
2) Can I filter permissions by name contains "mySubstring" ? Seems that /search does not support that but only exact name match by /search?name="name"


Here is /settings call:

    "policies": [
        {
            "id": "a10db0d8-993a-4f34-9082-350033ed8dff",
            "name": "set-03",
            "type": "scope",
            "logic": "POSITIVE",
            "decisionStrategy": "UNANIMOUS",
            "config": {
                "resources": "[\"set-01\"]",
                "scopes": "[\"read\",\"write\"]",
                "applyPolicies": "[\"userPolicy\"]"
            }
        }

Here is what I get from /policy endpoint:

   {
        "id": "a10db0d8-993a-4f34-9082-350033ed8dff",
        "name": "set-03",
        "type": "scope",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "config": {}
    }

________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Ori Doolman <Ori.Doolman at cyberark.com>
Sent: Thursday, June 6, 2019 4:22 PM
To: Pedro Igor Silva; Rafael Tovar.
Cc: keycloak-user
Subject: Re: [keycloak-user] authorizationSettings not in response

Great. I was looking for that as well. I don't think it is documented.
How do you manipulate the authorization entities by REST API?
For example, add a resource or a scope, modify policy etc.


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Pedro Igor Silva
Sent: Thursday, June 6, 2019 3:43 PM
To: Rafael Tovar. <rafatov10 at gmail.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] authorizationSettings not in response

Hi,

Please, append the following path to your URI: "
/authz/resource-server/settings".

Regards.
Pedro Igor

On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. <rafatov10 at gmail.com> wrote:

> Hi everybody,
> I'm trying to get the authorization settings of a client, but its not
> coming in the response of the request.
> This is the request im doing:
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a
> uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51
> 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG
> Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp
> A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e=
>
> and this is the response:
>
> {
>     "id": "c8e32bbc-72e6-4c30-827f-41ee51980433",
>     "clientId": "api",
>     "surrogateAuthRequired": false,
>     "enabled": true,
>     "clientAuthenticatorType": "client-secret",
>     "redirectUris": [
>         "*"
>     ],
>     "webOrigins": [],
>     "notBefore": 0,
>     "bearerOnly": false,
>     "consentRequired": false,
>     "standardFlowEnabled": true,
>     "implicitFlowEnabled": false,
>     "directAccessGrantsEnabled": true,
>     "serviceAccountsEnabled": true,
>     "authorizationServicesEnabled": true,
>     "publicClient": false,
>     "frontchannelLogout": false,
>     "protocol": "openid-connect",
>     "attributes": {
>         "saml.assertion.signature": "false",
>         "saml.force.post.binding": "false",
>         "saml.multivalued.roles": "false",
>         "saml.encrypt": "false",
>         "saml.server.signature": "false",
>         "saml.server.signature.keyinfo.ext": "false",
>         "exclude.session.state.from.auth.response": "false",
>         "saml_force_name_id_format": "false",
>         "saml.client.signature": "false",
>         "tls.client.certificate.bound.access.tokens": "false",
>         "saml.authnstatement": "false",
>         "display.on.consent.screen": "false",
>         "saml.onetimeuse.condition": "false"
>     },
>     "authenticationFlowBindingOverrides": {},
>     "fullScopeAllowed": true,
>     "nodeReRegistrationTimeout": -1,
>     "protocolMappers": [
>         {
>             "id": "97330e11-24df-40ce-9335-51d5126d4059",
>             "name": "Client Host",
>             "protocol": "openid-connect",
>             "protocolMapper": "oidc-usersessionmodel-note-mapper",
>             "consentRequired": false,
>             "config": {
>                 "user.session.note": "clientHost",
>                 "id.token.claim": "true",
>                 "access.token.claim": "true",
>                 "claim.name": "clientHost",
>                 "jsonType.label": "String"
>             }
>         },
>         {
>             "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041",
>             "name": "Client ID",
>             "protocol": "openid-connect",
>             "protocolMapper": "oidc-usersessionmodel-note-mapper",
>             "consentRequired": false,
>             "config": {
>                 "user.session.note": "clientId",
>                 "id.token.claim": "true",
>                 "access.token.claim": "true",
>                 "claim.name": "clientId",
>                 "jsonType.label": "String"
>             }
>         },
>         {
>             "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f",
>             "name": "Client IP Address",
>             "protocol": "openid-connect",
>             "protocolMapper": "oidc-usersessionmodel-note-mapper",
>             "consentRequired": false,
>             "config": {
>                 "user.session.note": "clientAddress",
>                 "id.token.claim": "true",
>                 "access.token.claim": "true",
>                 "claim.name": "clientAddress",
>                 "jsonType.label": "String"
>             }
>         }
>     ],
>     "defaultClientScopes": [
>         "web-origins",
>         "role_list",
>         "profile",
>         "roles",
>         "email"
>     ],
>     "optionalClientScopes": [
>         "address",
>         "phone",
>         "offline_access",
>         "microprofile-jwt"
>     ],
>     "access": {
>         "view": true,
>         "configure": true,
>         "manage": true
>     }
> }
>
> Thanks,
> Rafael.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_
> QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb
> D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e=
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e=

----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e=
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=CXzfHbu3tS7-M4XAEs32GmtMA2-cJ64WMcFa3AUHirc&s=HQM_ulRNI8muZdVrVM7EIxdi1cuD6Vb3_jF4Z3p4uEg&e=


More information about the keycloak-user mailing list