[keycloak-user] authorizationSettings not in response

Pedro Igor Silva psilva at redhat.com
Mon Jun 24 12:13:25 EDT 2019


Created https://issues.jboss.org/browse/KEYCLOAK-10705.

On Mon, Jun 24, 2019 at 1:00 PM Ori Doolman <Ori.Doolman at cyberark.com>
wrote:

> Pedro,
> That would be a perfect solution!
> Ori.
>
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Monday, June 24, 2019 5:53:08 PM
> *To:* Ori Doolman
> *Cc:* Rafael Tovar.; keycloak-user
> *Subject:* Re: [keycloak-user] authorizationSettings not in response
>
>
>
> On Thu, Jun 20, 2019 at 12:52 PM Ori Doolman <Ori.Doolman at cyberark.com>
> wrote:
>
>> Thanks for the answer Pedro.
>>
>>
>>
>> I understand what you wrote, but I think this poses a difficulty for the
>> API users (such as myself 😊 ).
>>
>> I want to look for all permissions related to some resource.
>>
>> Now, instead of selecting all permissions and in my app iterate and
>> filter according to the resource, I have two bad-performance solutions:
>>
>>    1. Use the /settings endpoint and get too much data, including many
>>    entities I don’t need.
>>    2. Get all permissions, and then one by one call the {id}/resources.
>>    And then call the other endpoints if I also need scopes and
>>    associatedPolicies.
>>
>>
>>
>> I don’t understand why the /policies cannot return the full permission
>> entity with the {config} object. It would be the straightforward thing to
>> do.
>>
>
> We were doing that in the beginning, returning everything when querying a
> policy by id. But we had performance issues in both admin console and REST
> API when policies were associated with a lot of resources/scopes.
>
> I see no problem about enabling a query parameter to indicate whether or
> not the response should also return resources/scopes/associated policies.
> Wdyt ?
>
>
>>
>>
>> Thanks,
>>
>> Ori.
>>
>>
>>
>>
>>
>> *From:* Pedro Igor Silva <psilva at redhat.com>
>> *Sent:* Tuesday, June 18, 2019 2:23 PM
>> *To:* Ori Doolman <Ori.Doolman at cyberark.com>
>> *Cc:* Rafael Tovar. <rafatov10 at gmail.com>; keycloak-user <
>> keycloak-user at lists.jboss.org>
>> *Subject:* Re: [keycloak-user] authorizationSettings not in response
>>
>>
>>
>>
>>
>>
>>
>> On Sun, Jun 16, 2019 at 7:04 AM Ori Doolman <Ori.Doolman at cyberark.com>
>> wrote:
>>
>> Pedo,
>>
>> When I call the authz/resource-server/settings endpoint, I get the full
>> list of all entities.
>>
>> That works great if I later want to update the settings using the
>> /authz/resource-server/import endpoint.
>>
>>
>>
>> But  /settings might become too big and I only want to update my
>> permissions (specific ones, actually).
>>
>> Hence, I call the /policy endpoint.
>>
>> But then I get partial entity information for the scope-based permission,
>> not similar to the one I get with /settings. The "config" object data is
>> missing.
>>
>>
>>
>> 1) Is that a bug? You can see below both payloads.
>>
>>
>>
>> The settings endpoint is exporting the settings, basically. So that you
>> have a JSON that you can later import data back to your client.
>>
>>
>>
>> The policy endpoint only returns the policy attributes so that any other
>> associated entity such as resources, scopes, and associated policies should
>> be obtained from another endpoint.
>>
>>
>>
>> {id}/associatedPolicies
>>
>> {id}/resources
>>
>> {id}/scopes
>>
>>
>>
>> 2) Can I filter permissions by name contains "mySubstring" ? Seems that
>> /search does not support that but only exact name match by
>> /search?name="name"
>>
>>
>>
>> You can use the "/" (root) endpoint. It is the one we use in the admin
>> console.
>>
>>
>>
>>
>>
>>
>>
>> Here is /settings call:
>>
>>
>>
>>     "policies": [
>>
>>         {
>>
>>             "id": "a10db0d8-993a-4f34-9082-350033ed8dff",
>>
>>             "name": "set-03",
>>
>>             "type": "scope",
>>
>>             "logic": "POSITIVE",
>>
>>             "decisionStrategy": "UNANIMOUS",
>>
>>             "config": {
>>
>>                 "resources": "[\"set-01\"]",
>>
>>                 "scopes": "[\"read\",\"write\"]",
>>
>>                 "applyPolicies": "[\"userPolicy\"]"
>>
>>             }
>>
>>         }
>>
>>
>>
>> Here is what I get from /policy endpoint:
>>
>>
>>
>>    {
>>
>>         "id": "a10db0d8-993a-4f34-9082-350033ed8dff",
>>
>>         "name": "set-03",
>>
>>         "type": "scope",
>>
>>         "logic": "POSITIVE",
>>
>>         "decisionStrategy": "UNANIMOUS",
>>
>>         "config": {}
>>
>>     }
>>
>>
>> ------------------------------
>>
>> *From:* keycloak-user-bounces at lists.jboss.org <
>> keycloak-user-bounces at lists.jboss.org> on behalf of Ori Doolman <
>> Ori.Doolman at cyberark.com>
>> *Sent:* Thursday, June 6, 2019 4:22 PM
>> *To:* Pedro Igor Silva; Rafael Tovar.
>> *Cc:* keycloak-user
>> *Subject:* Re: [keycloak-user] authorizationSettings not in response
>>
>>
>>
>> Great. I was looking for that as well. I don't think it is documented.
>> How do you manipulate the authorization entities by REST API?
>> For example, add a resource or a scope, modify policy etc.
>>
>>
>> -----Original Message-----
>> From: keycloak-user-bounces at lists.jboss.org <
>> keycloak-user-bounces at lists.jboss.org> On Behalf Of Pedro Igor Silva
>> Sent: Thursday, June 6, 2019 3:43 PM
>> To: Rafael Tovar. <rafatov10 at gmail.com>
>> Cc: keycloak-user <keycloak-user at lists.jboss.org>
>> Subject: Re: [keycloak-user] authorizationSettings not in response
>>
>> Hi,
>>
>> Please, append the following path to your URI: "
>> /authz/resource-server/settings".
>>
>> Regards.
>> Pedro Igor
>>
>> On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. <rafatov10 at gmail.com> wrote:
>>
>> > Hi everybody,
>> > I'm trying to get the authorization settings of a client, but its not
>> > coming in the response of the request.
>> > This is the request im doing:
>> >
>> > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a
>> > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51
>> > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG
>> > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp
>> > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e=
>> >
>> > and this is the response:
>> >
>> > {
>> >     "id": "c8e32bbc-72e6-4c30-827f-41ee51980433",
>> >     "clientId": "api",
>> >     "surrogateAuthRequired": false,
>> >     "enabled": true,
>> >     "clientAuthenticatorType": "client-secret",
>> >     "redirectUris": [
>> >         "*"
>> >     ],
>> >     "webOrigins": [],
>> >     "notBefore": 0,
>> >     "bearerOnly": false,
>> >     "consentRequired": false,
>> >     "standardFlowEnabled": true,
>> >     "implicitFlowEnabled": false,
>> >     "directAccessGrantsEnabled": true,
>> >     "serviceAccountsEnabled": true,
>> >     "authorizationServicesEnabled": true,
>> >     "publicClient": false,
>> >     "frontchannelLogout": false,
>> >     "protocol": "openid-connect",
>> >     "attributes": {
>> >         "saml.assertion.signature": "false",
>> >         "saml.force.post.binding": "false",
>> >         "saml.multivalued.roles": "false",
>> >         "saml.encrypt": "false",
>> >         "saml.server.signature": "false",
>> >         "saml.server.signature.keyinfo.ext": "false",
>> >         "exclude.session.state.from.auth.response": "false",
>> >         "saml_force_name_id_format": "false",
>> >         "saml.client.signature": "false",
>> >         "tls.client.certificate.bound.access.tokens": "false",
>> >         "saml.authnstatement": "false",
>> >         "display.on.consent.screen": "false",
>> >         "saml.onetimeuse.condition": "false"
>> >     },
>> >     "authenticationFlowBindingOverrides": {},
>> >     "fullScopeAllowed": true,
>> >     "nodeReRegistrationTimeout": -1,
>> >     "protocolMappers": [
>> >         {
>> >             "id": "97330e11-24df-40ce-9335-51d5126d4059",
>> >             "name": "Client Host",
>> >             "protocol": "openid-connect",
>> >             "protocolMapper": "oidc-usersessionmodel-note-mapper",
>> >             "consentRequired": false,
>> >             "config": {
>> >                 "user.session.note": "clientHost",
>> >                 "id.token.claim": "true",
>> >                 "access.token.claim": "true",
>> >                 "claim.name
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>":
>> "clientHost",
>> >                 "jsonType.label": "String"
>> >             }
>> >         },
>> >         {
>> >             "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041",
>> >             "name": "Client ID",
>> >             "protocol": "openid-connect",
>> >             "protocolMapper": "oidc-usersessionmodel-note-mapper",
>> >             "consentRequired": false,
>> >             "config": {
>> >                 "user.session.note": "clientId",
>> >                 "id.token.claim": "true",
>> >                 "access.token.claim": "true",
>> >                 "claim.name
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>":
>> "clientId",
>> >                 "jsonType.label": "String"
>> >             }
>> >         },
>> >         {
>> >             "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f",
>> >             "name": "Client IP Address",
>> >             "protocol": "openid-connect",
>> >             "protocolMapper": "oidc-usersessionmodel-note-mapper",
>> >             "consentRequired": false,
>> >             "config": {
>> >                 "user.session.note": "clientAddress",
>> >                 "id.token.claim": "true",
>> >                 "access.token.claim": "true",
>> >                 "claim.name
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__claim.name&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=_X40GUBz-VGzlFs53jx9HVXXGe_Rk3zPFyECBnGCy6E&s=EjTHGIHTX8PzQxenhTMswjrsuhin90gcaHk1I4csWls&e=>":
>> "clientAddress",
>> >                 "jsonType.label": "String"
>> >             }
>> >         }
>> >     ],
>> >     "defaultClientScopes": [
>> >         "web-origins",
>> >         "role_list",
>> >         "profile",
>> >         "roles",
>> >         "email"
>> >     ],
>> >     "optionalClientScopes": [
>> >         "address",
>> >         "phone",
>> >         "offline_access",
>> >         "microprofile-jwt"
>> >     ],
>> >     "access": {
>> >         "view": true,
>> >         "configure": true,
>> >         "manage": true
>> >     }
>> > }
>> >
>> > Thanks,
>> > Rafael.
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
>> > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_
>> > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb
>> > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e=
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e=
>>
>> ----------------------------------------------------------------------
>> _______________________________________________
>> This e-mail may contain information that is confidential, privileged or
>> otherwise protected from disclosure.
>> If you are not an intended recipient of this e-mail, do not duplicate or
>> redistribute it by any means. Please delete it and any attachments and
>> notify the sender that you have received it in error.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e=
>>
>>


More information about the keycloak-user mailing list