Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-9525

UmaPermissions on user managed resources not returned by token REST endpoint

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 4.8.3.Final
    • Fix Version/s: None
    • Component/s: Authorization Services
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      • Create a user managed resource
      • Create a UmaPermission for an existing role for example like this:
                      PolicyResource policy = authzClient.protection(account.getKeycloakSecurityContext().getTokenString())
      				.policy(resource.getId());
      		UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
      		permission.addRole("ROLE_ADMIN");
      		permission.setName("test");
      		permission.setDescription("Give access to ADMIN ROLE");
      		policy.create(permission);
      
      • In the Keycloak admin console evaluate the permission for a user in that role

      Still in the console permission evaluation page checks that "Show Authorization Data" display permissions granted by the UmaPermission created

      • Check the permissions directly using the token end point for a user in that role:
      curl -X POST MYSERVER/auth/realms/MYREALM/protocol/openid-connect/token --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" --data "response_mode=permissions" --data "audience=myclient" -H "Authorization: Bearer aToken
      

      Only a permission for the default resource is returned:

      [{"rsid":"b9f1f4d0-d726-4e7d-a786-076a7bd27124","rsname":"Default Resource"}]
      
      Show
      Create a user managed resource Create a UmaPermission for an existing role for example like this: PolicyResource policy = authzClient.protection(account.getKeycloakSecurityContext().getTokenString()) .policy(resource.getId()); UmaPermissionRepresentation permission = new UmaPermissionRepresentation(); permission.addRole( "ROLE_ADMIN" ); permission.setName( "test" ); permission.setDescription( "Give access to ADMIN ROLE" ); policy.create(permission); In the Keycloak admin console evaluate the permission for a user in that role Still in the console permission evaluation page checks that "Show Authorization Data" display permissions granted by the UmaPermission created Check the permissions directly using the token end point for a user in that role: curl -X POST MYSERVER/auth/realms/MYREALM/protocol/openid-connect/token --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" --data "response_mode=permissions" --data "audience=myclient" -H "Authorization: Bearer aToken Only a permission for the default resource is returned: [{ "rsid" : "b9f1f4d0-d726-4e7d-a786-076a7bd27124" , "rsname" : "Default Resource" }]
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      When a UmaPermission is created on a user managed resource, the permission evaluation page in the keycloak console reports that this permission is granted while the token REST endpoint reports no permissions (except for the default resource)

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pcraveiro Pedro Igor Silva
                  Reporter:
                  sveyriere Sebastien Veyriere
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: