Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-10746

Unable to check permissions when logged in via client_credentials

    Details

    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      ServiceA with authorization enabled. And configured to contain resourceA.

      ServiceB with service account enabled.

      When ServiceB uses client_credential login it will receive a token with issuedFor (azp) set to "ServiceB".
      Now querying protected endpoint from Service A with that token will result in an error "Resource with id [resourceA] does not exist".

      It seems that it might be caused by https://github.com/keycloak/keycloak/blob/ebcfeb20a3f5606cf6756c522d27c1711f3bb7bd/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L415
      Which only checks for resources for the requesting entity. And few lines later

      if (!identity.isResourceServer()) {
      

      which blocks another resource server, serviceB in this case, from finding the resource.

      I did find a possible hacky workaround, which is to just log into the service account via grant_type "password" through a public client. In this case the issuedFor will not match the service-tokens linked client and it will pass !isResourceServer check here
      https://github.com/keycloak/keycloak/blob/47066e1b89b48e53875db32475507bf93ddbe008/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java#L232

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                veikovx Veiko V
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: