[keycloak-user] authorizationSettings not in response

Ori Doolman Ori.Doolman at cyberark.com
Mon Jun 24 12:00:25 EDT 2019


Pedro,
That would be a perfect solution!
Ori.


Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Monday, June 24, 2019 5:53:08 PM
To: Ori Doolman
Cc: Rafael Tovar.; keycloak-user
Subject: Re: [keycloak-user] authorizationSettings not in response



On Thu, Jun 20, 2019 at 12:52 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Thanks for the answer Pedro.

I understand what you wrote, but I think this poses a difficulty for the API users (such as myself 😊 ).
I want to look for all permissions related to some resource.
Now, instead of selecting all permissions and in my app iterate and filter according to the resource, I have two bad-performance solutions:

  1.  Use the /settings endpoint and get too much data, including many entities I don’t need.
  2.  Get all permissions, and then one by one call the {id}/resources. And then call the other endpoints if I also need scopes and associatedPolicies.

I don’t understand why the /policies cannot return the full permission entity with the {config} object. It would be the straightforward thing to do.

We were doing that in the beginning, returning everything when querying a policy by id. But we had performance issues in both admin console and REST API when policies were associated with a lot of resources/scopes.

I see no problem about enabling a query parameter to indicate whether or not the response should also return resources/scopes/associated policies. Wdyt ?


Thanks,
Ori.


From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Tuesday, June 18, 2019 2:23 PM
To: Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>
Cc: Rafael Tovar. <rafatov10 at gmail.com<mailto:rafatov10 at gmail.com>>; keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] authorizationSettings not in response



On Sun, Jun 16, 2019 at 7:04 AM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Pedo,
When I call the authz/resource-server/settings endpoint, I get the full list of all entities.
That works great if I later want to update the settings using the /authz/resource-server/import endpoint.

But  /settings might become too big and I only want to update my permissions (specific ones, actually).
Hence, I call the /policy endpoint.
But then I get partial entity information for the scope-based permission, not similar to the one I get with /settings. The "config" object data is missing.

1) Is that a bug? You can see below both payloads.

The settings endpoint is exporting the settings, basically. So that you have a JSON that you can later import data back to your client.

The policy endpoint only returns the policy attributes so that any other associated entity such as resources, scopes, and associated policies should be obtained from another endpoint.

{id}/associatedPolicies
{id}/resources
{id}/scopes

2) Can I filter permissions by name contains "mySubstring" ? Seems that /search does not support that but only exact name match by /search?name="name"

You can use the "/" (root) endpoint. It is the one we use in the admin console.



Here is /settings call:

    "policies": [
        {
            "id": "a10db0d8-993a-4f34-9082-350033ed8dff",
            "name": "set-03",
            "type": "scope",
            "logic": "POSITIVE",
            "decisionStrategy": "UNANIMOUS",
            "config": {
                "resources": "[\"set-01\"]",
                "scopes": "[\"read\",\"write\"]",
                "applyPolicies": "[\"userPolicy\"]"
            }
        }

Here is what I get from /policy endpoint:

   {
        "id": "a10db0d8-993a-4f34-9082-350033ed8dff",
        "name": "set-03",
        "type": "scope",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "config": {}
    }

________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>
Sent: Thursday, June 6, 2019 4:22 PM
To: Pedro Igor Silva; Rafael Tovar.
Cc: keycloak-user
Subject: Re: [keycloak-user] authorizationSettings not in response

Great. I was looking for that as well. I don't think it is documented.
How do you manipulate the authorization entities by REST API?
For example, add a resource or a scope, modify policy etc.


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> On Behalf Of Pedro Igor Silva
Sent: Thursday, June 6, 2019 3:43 PM
To: Rafael Tovar. <rafatov10 at gmail.com<mailto:rafatov10 at gmail.com>>
Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] authorizationSettings not in response

Hi,

Please, append the following path to your URI: "
/authz/resource-server/settings".

Regards.
Pedro Igor

On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. <rafatov10 at gmail.com<mailto:rafatov10 at gmail.com>> wrote:

> Hi everybody,
> I'm trying to get the authorization settings of a client, but its not
> coming in the response of the request.
> This is the request im doing:
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a
> uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51
> 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG
> Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp
> A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e=
>
> and this is the response:
>
> {
>     "id": "c8e32bbc-72e6-4c30-827f-41ee51980433",
>     "clientId": "api",
>     "surrogateAuthRequired": false,
>     "enabled": true,
>     "clientAuthenticatorType": "client-secret",
>     "redirectUris": [
>         "*"
>     ],
>     "webOrigins": [],
>     "notBefore": 0,
>     "bearerOnly": false,
>     "consentRequired": false,
>     "standardFlowEnabled": true,
>     "implicitFlowEnabled": false,
>     "directAccessGrantsEnabled": true,
>     "serviceAccountsEnabled": true,
>     "authorizationServicesEnabled": true,
>     "publicClient": false,
>     "frontchannelLogout": false,
>     "protocol": "openid-connect",
>     "attributes": {
>         "saml.assertion.signature": "false",
>         "saml.force.post.binding": "false",
>         "saml.multivalued.roles": "false",
>         "saml.encrypt": "false",
>         "saml.server.signature": "false",
>         "saml.server.signature.keyinfo.ext": "false",
>         "exclude.session.state.from.auth.response": "false",
>         "saml_force_name_id_format": "false",
>         "saml.client.signature": "false",
>         "tls.client.certificate.bound.access.tokens": "false",
>         "saml.authnstatement": "false",
>         "display.on.consent.screen": "false",
>         "saml.onetimeuse.condition": "false"
>     },
>     "authenticationFlowBindingOverrides": {},
>     "fullScopeAllowed": true,
>     "nodeReRegistrationTimeout": -1,
>     "protocolMappers": [
>         {
>             "id": "97330e11-24df-40ce-9335-51d5126d4059",
>             "name": "Client Host",
>             "protocol": "openid-connect",
>             "protocolMapper": "oidc-usersessionmodel-note-mapper",
>             "consentRequired": false,
>             "config": {
>                 "user.session.note": "clientHost",
>                 "id.token.claim": "true",
>                 "access.token.claim": "true",
>                 "claim.name<https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>": "clientHost",
>                 "jsonType.label": "String"
>             }
>         },
>         {
>             "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041",
>             "name": "Client ID",
>             "protocol": "openid-connect",
>             "protocolMapper": "oidc-usersessionmodel-note-mapper",
>             "consentRequired": false,
>             "config": {
>                 "user.session.note": "clientId",
>                 "id.token.claim": "true",
>                 "access.token.claim": "true",
>                 "claim.name<https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>": "clientId",
>                 "jsonType.label": "String"
>             }
>         },
>         {
>             "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f",
>             "name": "Client IP Address",
>             "protocol": "openid-connect",
>             "protocolMapper": "oidc-usersessionmodel-note-mapper",
>             "consentRequired": false,
>             "config": {
>                 "user.session.note": "clientAddress",
>                 "id.token.claim": "true",
>                 "access.token.claim": "true",
>                 "claim.name<https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>": "clientAddress",
>                 "jsonType.label": "String"
>             }
>         }
>     ],
>     "defaultClientScopes": [
>         "web-origins",
>         "role_list",
>         "profile",
>         "roles",
>         "email"
>     ],
>     "optionalClientScopes": [
>         "address",
>         "phone",
>         "offline_access",
>         "microprofile-jwt"
>     ],
>     "access": {
>         "view": true,
>         "configure": true,
>         "manage": true
>     }
> }
>
> Thanks,
> Rafael.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_
> QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb
> D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e=
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e=

----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e=


More information about the keycloak-user mailing list