Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-7726

UMA 2.0 permissions for service client owned resources

    XMLWordPrintable

Details

    • NEW
    • NEW

    Description

      (in ref to http://lists.jboss.org/pipermail/keycloak-user/2018-June/014421.html)

      We currently use keycloak to protect data resources created and managed by various microservices. Keycloak resources are owned by the service client, with scopes granted to users via user policies. We are looking to allow users to share scopes directly with other users and we are evaluating Keycloak 4 with UMA 2.0 permissions to accomplish this..

      It appears we cannot use UMA 2.0 to dynamically grant scopes to resources owned by a service client however. The permission ticketing succeeds when granting a service-client-owned resource scope to a user. However when evaluating permissions, keycloak's PolicyEvaluationService breaks when trying to get the identity of the service client. Specifically, PolicyEvaluationResponseBuilder.toRepresentation(...) returns a null owner @197:

        UserModel owner = keycloakSession.users().getUserById(ticket.getOwner(), authorization.getRealm());
      

      Eventually, getting the owner name/email throws an NPE, and is caught and translated to an evaluation error:
      PolicyEvaluationService:118

      13:18:14,111 ERROR [stderr] (default task-36) java.lang.NullPointerException
      13:18:14,112 ERROR [stderr] (default task-36) 	at org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder.getUserEmailOrUserName(PolicyEvaluationResponseBuilder.java:233)
      13:18:14,112 ERROR [stderr] (default task-36) 	at org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder.toRepresentation(PolicyEvaluationResponseBuilder.java:200)
      13:18:14,112 ERROR [stderr] (default task-36) 	at org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder.build(PolicyEvaluationResponseBuilder.java:116)
      13:18:14,112 ERROR [stderr] (default task-36) 	at org.keycloak.authorization.admin.PolicyEvaluationService.evaluate(PolicyEvaluationService.java:118)
      

      And any subsequent permission evaluations for that resource will similarly fail, regardless of the user the permissions are evaluated for. The remedy for the moment is to simply delete the offending permission ticket.

      UMA perms for service client owned resources seems mostly functional, presuming this is a use case keycloak wants to support.

      Attachments

        Activity

          People

            Unassigned Unassigned
            garyschulteog Gary Schulte (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: