Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-484

Admin endpoints authenticate with bearer token, but uses roles directly from user

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 1.0-beta-1
    • None
    • None

    Description

      AdminRoot.authenticateRealmAdminRequest uses bearer token to authenticate user, but doesn't pass the token to Auth. This causes roles to be loaded directly from user instead of token, which bypasses the scope giving all clients full access.

      Attachments

        Activity

          People

            patriot1burke@gmail.com Bill Burke (Inactive)
            sthorger@redhat.com Stian Thorgersen
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: