[keycloak-user] obtaining RTP by resource name
Pedro Igor Silva
psilva at redhat.com
Mon Jun 24 09:11:54 EDT 2019
Hi,
You should be able to obtain a user-owned resource by name if the bearer
token is referencing the owner as the subject. Which version of Keycloak
are you using?
I did not find any specific test for this but adding one that does exactly
what you described (I can be missing something though) it works as expected.
On Fri, Jun 21, 2019 at 10:32 AM Stefanidis, Kyriakos <
kyriakos.stefanidis at fokus.fraunhofer.de> wrote:
> Hello all,
> ...more specifically people that use keycloak authorization services.
>
> While dealing with RTPs (without permission tickets) for both user and
> centrally managed resources we encountered an inconsistent behavior and
> would like to know if it is considered a bug or works as intended (and why)
>
> The story:
>
> When a resource is owned by the resource provider (a client), you can get
> a RTP by providing either the resource id (uuid) or the resource name in
> the "permissions" parameter.
>
> Ex.
> "res1" is owned by "client.id" and given "update" scope permission to
> user "usr" via policy/permission combo
> $TOKEN is the access token for user "usr"
> curl -X POST \
> https://something/auth/realms/something/protocol/openid-connect/token \
> -H "Authorization: Bearer $TOKEN" \
> --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
> --data "audience=client.id" \
> --data "permission=res1.id#scope" //correct RTP with "update" for "res1"
> OR
> --data "permission=res1.name#scope" //correct RTP with "update" for
> "res1"
>
>
> When a resource is owned by a user, you can only get a RTP by providing
> the resource id (uuid) in the "permission" parameter. Requesting by name
> returns an "Resource with id [res2.name] does not exist."
>
> Ex.
> "res2" is owned by "usr" and has an "update" scope
> $TOKEN is the access token for user "usr"
>
> curl -X POST \
> https://something/auth/realms/something/protocol/openid-connect/token \
> -H "Authorization: Bearer $TOKEN" \
> --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
> --data "audience=client.id" \
> --data "permission=res2.id#scope" //correct RTP with "update" for "res1"
> OR
> --data "permission=res2.name#scope" //"Resource with id [res2.name]
> does not exist."
>
> The interesting thing is that If you request a RTP without specific
> "permission" property, keycloak returns the correct RTP with "update" for
> both res1 and res2 as it should.
>
> Our tests also shown that this behavior does not rely on the "user
> managed" property but only the "owner" property
>
> Is this supposed to happen?
If yes, why?
If no, which one of the two is the buggy behavior? The behavior for the
> user owned or the client owned resource?
>
> The main reason for this email is that the fact that you can obtain RTP
> based on resource name is immensely helpful for us since the other clients
> (other than the resource provider) cannot get the resource id from keycloak
> but they do know what they are looking for (the resource name). Not being
> able to get RTP based on resource name for user owned resources, forces us
> to use a generic RTP for all resources every time which could become a
> burden if a user can access a very large number of resources.
>
> Best regards,
> Kyriakos Stefanidis
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list