[keycloak-user] obtaining RTP by resource name
Stefanidis, Kyriakos
kyriakos.stefanidis at fokus.fraunhofer.de
Fri Jun 21 09:23:31 EDT 2019
Hello all,
...more specifically people that use keycloak authorization services.
While dealing with RTPs (without permission tickets) for both user and centrally managed resources we encountered an inconsistent behavior and would like to know if it is considered a bug or works as intended (and why)
The story:
When a resource is owned by the resource provider (a client), you can get a RTP by providing either the resource id (uuid) or the resource name in the "permissions" parameter.
Ex.
"res1" is owned by "client.id" and given "update" scope permission to user "usr" via policy/permission combo
$TOKEN is the access token for user "usr"
curl -X POST \
https://something/auth/realms/something/protocol/openid-connect/token \
-H "Authorization: Bearer $TOKEN" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=client.id" \
--data "permission=res1.id#scope" //correct RTP with "update" for "res1"
OR
--data "permission=res1.name#scope" //correct RTP with "update" for "res1"
When a resource is owned by a user, you can only get a RTP by providing the resource id (uuid) in the "permission" parameter. Requesting by name returns an "Resource with id [res2.name] does not exist."
Ex.
"res2" is owned by "usr" and has an "update" scope
$TOKEN is the access token for user "usr"
curl -X POST \
https://something/auth/realms/something/protocol/openid-connect/token \
-H "Authorization: Bearer $TOKEN" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=client.id" \
--data "permission=res2.id#scope" //correct RTP with "update" for "res1"
OR
--data "permission=res2.name#scope" //"Resource with id [res2.name] does not exist."
The interesting thing is that If you request a RTP without specific "permission" property, keycloak returns the correct RTP with "update" for both res1 and res2 as it should.
Our tests also shown that this behavior does not rely on the "user managed" property but only the "owner" property
Is this supposed to happen?
If yes, why?
If no, which one of the two is the buggy behavior? The behavior for the user owned or the client owned resource?
The main reason for this email is that the fact that you can obtain RTP based on resource name is immensely helpful for us since the other clients (other than the resource provider) cannot get the resource id from keycloak but they do know what they are looking for (the resource name). Not being able to get RTP based on resource name for user owned resources, forces us to use a generic RTP for all resources every time which could become a burden if a user can access a very large number of resources.
Best regards,
Kyriakos Stefanidis
More information about the keycloak-user
mailing list