Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: 10.0.2
    • Fix Version/s: None
    • Component/s: Admin - REST API
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      We started to use user attributes to store additional parameters. E.g. last user login time. And we was going to add more attributes to customize authentication.

      But we found that any user may read and update its own attributes through REST API just using user name and password when public client is used. See steps to reproduce below.

      It was not obvious at all as user account page is not showing user attributes. It makes impression that user attributes are internal. 

      We din't found how to change this behavior. Is it possible to add a way to restrict reading/writing of  user attributes by API? If not, could you give your opinion how to deal with that, please?

      Steps to reproduce:

      1. Create test-realm
      2. Create test-client. Client protocol is openid. Client is public.
      3. Create user test-user with password 1234
      4. Add user attributes by API:

      realm=test-realm
      client=test-client
      user=test-user
      pwd=1234

      access_token=$(curl \
      "http://localhost:8080/auth/realms/${realm}/protocol/openid-connect/token" \
      --noproxy '*' \
      -k \
      -d "username=${user}" \
      -d "password=${pwd}" \
      -d "grant_type=password" \
      -d "client_id=${client}" | jq -r '.access_token')

      curl \
      --noproxy '*' \
      -X POST -k \
      -H "Authorization: Bearer ${access_token}" \
      -H "Content-Type: application/json" \
      -d '{"attributes": {"attr1":["1"],"attr2":["2"]}}' \
      http://localhost:8080/auth/realms/${realm}/account/

       

      5. You can see that test-user has attributes now.

       

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                pcraveiro Pedro Igor Silva
                Reporter:
                mvk37 Michael Kuznetsov
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: