[keycloak-user] authorizationSettings not in response

Pedro Igor Silva psilva at redhat.com
Mon Jun 24 10:53:08 EDT 2019


On Thu, Jun 20, 2019 at 12:52 PM Ori Doolman <Ori.Doolman at cyberark.com>
wrote:

> Thanks for the answer Pedro.
>
>
>
> I understand what you wrote, but I think this poses a difficulty for the
> API users (such as myself 😊 ).
>
> I want to look for all permissions related to some resource.
>
> Now, instead of selecting all permissions and in my app iterate and filter
> according to the resource, I have two bad-performance solutions:
>
>    1. Use the /settings endpoint and get too much data, including many
>    entities I don’t need.
>    2. Get all permissions, and then one by one call the {id}/resources.
>    And then call the other endpoints if I also need scopes and
>    associatedPolicies.
>
>
>
> I don’t understand why the /policies cannot return the full permission
> entity with the {config} object. It would be the straightforward thing to
> do.
>

We were doing that in the beginning, returning everything when querying a
policy by id. But we had performance issues in both admin console and REST
API when policies were associated with a lot of resources/scopes.

I see no problem about enabling a query parameter to indicate whether or
not the response should also return resources/scopes/associated policies.
Wdyt ?


>
>
> Thanks,
>
> Ori.
>
>
>
>
>
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, June 18, 2019 2:23 PM
> *To:* Ori Doolman <Ori.Doolman at cyberark.com>
> *Cc:* Rafael Tovar. <rafatov10 at gmail.com>; keycloak-user <
> keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] authorizationSettings not in response
>
>
>
>
>
>
>
> On Sun, Jun 16, 2019 at 7:04 AM Ori Doolman <Ori.Doolman at cyberark.com>
> wrote:
>
> Pedo,
>
> When I call the authz/resource-server/settings endpoint, I get the full
> list of all entities.
>
> That works great if I later want to update the settings using the
> /authz/resource-server/import endpoint.
>
>
>
> But  /settings might become too big and I only want to update my
> permissions (specific ones, actually).
>
> Hence, I call the /policy endpoint.
>
> But then I get partial entity information for the scope-based permission,
> not similar to the one I get with /settings. The "config" object data is
> missing.
>
>
>
> 1) Is that a bug? You can see below both payloads.
>
>
>
> The settings endpoint is exporting the settings, basically. So that you
> have a JSON that you can later import data back to your client.
>
>
>
> The policy endpoint only returns the policy attributes so that any other
> associated entity such as resources, scopes, and associated policies should
> be obtained from another endpoint.
>
>
>
> {id}/associatedPolicies
>
> {id}/resources
>
> {id}/scopes
>
>
>
> 2) Can I filter permissions by name contains "mySubstring" ? Seems that
> /search does not support that but only exact name match by
> /search?name="name"
>
>
>
> You can use the "/" (root) endpoint. It is the one we use in the admin
> console.
>
>
>
>
>
>
>
> Here is /settings call:
>
>
>
>     "policies": [
>
>         {
>
>             "id": "a10db0d8-993a-4f34-9082-350033ed8dff",
>
>             "name": "set-03",
>
>             "type": "scope",
>
>             "logic": "POSITIVE",
>
>             "decisionStrategy": "UNANIMOUS",
>
>             "config": {
>
>                 "resources": "[\"set-01\"]",
>
>                 "scopes": "[\"read\",\"write\"]",
>
>                 "applyPolicies": "[\"userPolicy\"]"
>
>             }
>
>         }
>
>
>
> Here is what I get from /policy endpoint:
>
>
>
>    {
>
>         "id": "a10db0d8-993a-4f34-9082-350033ed8dff",
>
>         "name": "set-03",
>
>         "type": "scope",
>
>         "logic": "POSITIVE",
>
>         "decisionStrategy": "UNANIMOUS",
>
>         "config": {}
>
>     }
>
>
> ------------------------------
>
> *From:* keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> on behalf of Ori Doolman <
> Ori.Doolman at cyberark.com>
> *Sent:* Thursday, June 6, 2019 4:22 PM
> *To:* Pedro Igor Silva; Rafael Tovar.
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] authorizationSettings not in response
>
>
>
> Great. I was looking for that as well. I don't think it is documented.
> How do you manipulate the authorization entities by REST API?
> For example, add a resource or a scope, modify policy etc.
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> On Behalf Of Pedro Igor Silva
> Sent: Thursday, June 6, 2019 3:43 PM
> To: Rafael Tovar. <rafatov10 at gmail.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] authorizationSettings not in response
>
> Hi,
>
> Please, append the following path to your URI: "
> /authz/resource-server/settings".
>
> Regards.
> Pedro Igor
>
> On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. <rafatov10 at gmail.com> wrote:
>
> > Hi everybody,
> > I'm trying to get the authorization settings of a client, but its not
> > coming in the response of the request.
> > This is the request im doing:
> >
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a
> > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51
> > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG
> > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp
> > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e=
> >
> > and this is the response:
> >
> > {
> >     "id": "c8e32bbc-72e6-4c30-827f-41ee51980433",
> >     "clientId": "api",
> >     "surrogateAuthRequired": false,
> >     "enabled": true,
> >     "clientAuthenticatorType": "client-secret",
> >     "redirectUris": [
> >         "*"
> >     ],
> >     "webOrigins": [],
> >     "notBefore": 0,
> >     "bearerOnly": false,
> >     "consentRequired": false,
> >     "standardFlowEnabled": true,
> >     "implicitFlowEnabled": false,
> >     "directAccessGrantsEnabled": true,
> >     "serviceAccountsEnabled": true,
> >     "authorizationServicesEnabled": true,
> >     "publicClient": false,
> >     "frontchannelLogout": false,
> >     "protocol": "openid-connect",
> >     "attributes": {
> >         "saml.assertion.signature": "false",
> >         "saml.force.post.binding": "false",
> >         "saml.multivalued.roles": "false",
> >         "saml.encrypt": "false",
> >         "saml.server.signature": "false",
> >         "saml.server.signature.keyinfo.ext": "false",
> >         "exclude.session.state.from.auth.response": "false",
> >         "saml_force_name_id_format": "false",
> >         "saml.client.signature": "false",
> >         "tls.client.certificate.bound.access.tokens": "false",
> >         "saml.authnstatement": "false",
> >         "display.on.consent.screen": "false",
> >         "saml.onetimeuse.condition": "false"
> >     },
> >     "authenticationFlowBindingOverrides": {},
> >     "fullScopeAllowed": true,
> >     "nodeReRegistrationTimeout": -1,
> >     "protocolMappers": [
> >         {
> >             "id": "97330e11-24df-40ce-9335-51d5126d4059",
> >             "name": "Client Host",
> >             "protocol": "openid-connect",
> >             "protocolMapper": "oidc-usersessionmodel-note-mapper",
> >             "consentRequired": false,
> >             "config": {
> >                 "user.session.note": "clientHost",
> >                 "id.token.claim": "true",
> >                 "access.token.claim": "true",
> >                 "claim.name
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>":
> "clientHost",
> >                 "jsonType.label": "String"
> >             }
> >         },
> >         {
> >             "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041",
> >             "name": "Client ID",
> >             "protocol": "openid-connect",
> >             "protocolMapper": "oidc-usersessionmodel-note-mapper",
> >             "consentRequired": false,
> >             "config": {
> >                 "user.session.note": "clientId",
> >                 "id.token.claim": "true",
> >                 "access.token.claim": "true",
> >                 "claim.name
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>":
> "clientId",
> >                 "jsonType.label": "String"
> >             }
> >         },
> >         {
> >             "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f",
> >             "name": "Client IP Address",
> >             "protocol": "openid-connect",
> >             "protocolMapper": "oidc-usersessionmodel-note-mapper",
> >             "consentRequired": false,
> >             "config": {
> >                 "user.session.note": "clientAddress",
> >                 "id.token.claim": "true",
> >                 "access.token.claim": "true",
> >                 "claim.name
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>":
> "clientAddress",
> >                 "jsonType.label": "String"
> >             }
> >         }
> >     ],
> >     "defaultClientScopes": [
> >         "web-origins",
> >         "role_list",
> >         "profile",
> >         "roles",
> >         "email"
> >     ],
> >     "optionalClientScopes": [
> >         "address",
> >         "phone",
> >         "offline_access",
> >         "microprofile-jwt"
> >     ],
> >     "access": {
> >         "view": true,
> >         "configure": true,
> >         "manage": true
> >     }
> > }
> >
> > Thanks,
> > Rafael.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_
> > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb
> > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e=
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e=
>
> ----------------------------------------------------------------------
> _______________________________________________
> This e-mail may contain information that is confidential, privileged or
> otherwise protected from disclosure.
> If you are not an intended recipient of this e-mail, do not duplicate or
> redistribute it by any means. Please delete it and any attachments and
> notify the sender that you have received it in error.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e=
>
>


More information about the keycloak-user mailing list