Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-18509

Unexpected error while evaluating permissions

    XMLWordPrintable

Details

    • Hide

      1. Create a new resource:

      curl -v -X POST \
        http://${host}:${port}/auth/realms/${realm_name}/authz/protection/resource_set \
        -H 'Authorization: Bearer '$pat \
        -H 'Content-Type: application/json' \
        -d '{
           "name":"resource1",
           "type":"some-type",
           "scopes":[
               "read",
               "write"
            ],
           "owner": "resource-server",
           "ownerManagedAccess": true
        }'
      

       

      2. Create a UMA permission and assign a client user and an ordinary user to it:

      curl -X POST \
        http://localhost:8180/auth/realms/photoz/authz/protection/uma-policy/{resource_id} \
        -H 'Authorization: Bearer '$access_token \
        -H 'Cache-Control: no-cache' \
        -H 'Content-Type: application/json' \
        -d '{
              "name": "resource1-read",
              "description": "Allow to read resource1",
              "scopes": ["read"],
              "clients": ["some-client"],
              "users": ["some-user"]
      }'

       

      3. Retrieving UMA ticket for user "some-user" should work:

      curl -X POST \
        http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
        -H "Authorization: Bearer ${access token for "some-user"}" \
        --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
        --data "audience={resource_server_client_id}"
      

       

      4. Go into the Keycloak console and delete the client "some-client".

       

      5. Retrieving UMA ticket for user "some-user" now fails:

      curl -X POST \
        http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
        -H "Authorization: Bearer ${access token for "some-user"}" \
        --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
        --data "audience={resource_server_client_id}"

       

      Show
      1. Create a new resource: curl -v -X POST \ http: //${host}:${port}/auth/realms/${realm_name}/authz/protection/resource_set \ -H 'Authorization: Bearer ' $pat \ -H 'Content-Type: application/json' \ -d '{ "name" : "resource1" , "type" : "some-type" , "scopes" :[ "read" , "write" ], "owner" : "resource-server" , "ownerManagedAccess" : true }'   2. Create a UMA permission and assign a client user and an ordinary user to it: curl -X POST \ http: //localhost:8180/auth/realms/photoz/authz/protection/uma-policy/{resource_id} \ -H 'Authorization: Bearer ' $access_token \ -H 'Cache-Control: no-cache' \ -H 'Content-Type: application/json' \ -d '{ "name" : "resource1-read" , "description" : "Allow to read resource1" , "scopes" : [ "read" ], "clients" : [ "some-client" ], "users" : [ "some-user" ] }'   3. Retrieving UMA ticket for user "some-user" should work: curl -X POST \ http: //${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access token for " some-user "}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience={resource_server_client_id}"   4. Go into the Keycloak console and delete the client "some-client".   5. Retrieving UMA ticket for user "some-user" now fails: curl -X POST \ http: //${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access token for " some-user "}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience={resource_server_client_id}"  
    • NEW
    • NEW

    Description

      Trying to retrieve a UMA permission pointing to a deleted group or client user results in "Unexpected error while evaluating permissions: java.lang.RuntimeException: Failed to evaluate permissions".

      This happens with groups and client users, but not with ordinary users.

      Tested with Keycloak 10.0.1 and 12.0.4.

      Attachments

        1. db_tables.png
          db_tables.png
          582 kB
        2. get-policy-stacktrace.txt
          13 kB
        3. get-uma-ticket-stacktrace.txt
          18 kB

        Activity

          People

            psilva@redhat.com Pedro Igor Craveiro
            simen-origo Simen Heggestøyl (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: