Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1274

[GHI#25057] Inconsistent behaviour on getting user permissions using authorization

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      authorization-services

      Describe the bug

      On a confidential client using Authorization, create one resource with 2 scopes and User-Managed Access Enabled:

      !image

      Assign the user to the permission and just one of the scopes(in my case i have assigned the scope1):

      ```
      #!/bin/bash
      export REALM="permissions-test"
      export CLIENT_ID="permission-client-default"
      export CLIENT_SECRET="HumjZDHltnIixH3kLvrrfKDvPw2Q59td"export ACCESS_TOKEN=$(
      curl \

      -d "client_id=${CLIENT_ID}" \
      -d "client_secret=${CLIENT_SECRET}" \
      -d "grant_type=client_credentials" \
      "http://localhost:8080/auth/realms/${REALM}/protocol/openid-connect/token" \
      
      jq -r '.access_token'
      )

      curl -X POST "http://localhost:8080/auth/realms/${REALM}/authz/protection/permission/ticket" \

       -H "Authorization: Bearer ${ACCESS_TOKEN}" \
       -H "Content-Type: application/json" \
       -d '{ "resource": "8f6ccd63-8399-4266-aae4-a919c9d8776d", "requester": "084db0fc-4331-4241-9c22-89f84b8e522d", "granted": true, "scopeName": "scope1" }' | jq   
      

      {
      "id": "47c4e482-e01d-4ef4-8dd6-277a47d634a8",
      "owner": "4a6cc3bb-9b19-4107-8a64-f36fcfbd5505",
      "resource": "8f6ccd63-8399-4266-aae4-a919c9d8776d",
      "scope": "bf5981fd-84c2-4e5e-b75c-9b993063d1cb",
      "granted": true,
      "requester": "084db0fc-4331-4241-9c22-89f84b8e522d"
      }
      ```

      After that, query the permission by Id and by Name:
      ```

      export REALM="permissions-test"
      export CLIENT_ID="permission-client-default"
      export CLIENT_SECRET="HumjZDHltnIixH3kLvrrfKDvPw2Q59td"
      export TEST_USER="testuser"
      export TEST_USER_PASSWORD="abc123"
      export RESOURCE_ID="8f6ccd63-8399-4266-aae4-a919c9d8776d"
      export RESOURCE_NAME="test"

      export ACCESS_TOKEN=$( curl \

      -d "client_id=${CLIENT_ID}" \
      -d "client_secret=${CLIENT_SECRET}" \
      -d "grant_type=password" \
      -d "username=${TEST_USER}" \
      -d "password=${TEST_USER_PASSWORD}" \
      "http://localhost:8080/auth/realms/${REALM}/protocol/openid-connect/token" \
      
      jq -r '.access_token' \
      )

      curl -X POST http://localhost:8080/auth/realms/${REALM}/protocol/openid-connect/token \
      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
      --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
      --data "audience=${CLIENT_ID}" \
      --data "permission=${RESOURCE_ID}" \
      --data "response_mode=permissions" \

      jq
      1. Result by resourceID:
        [ { {code}
        "scopes": [
        "scope1"
        ],
        "rsid": "8f6ccd63-8399-4266-aae4-a919c9d8776d",
        "rsname": "test"
        
        

        }
        ]



        curl -X POST http://localhost:8080/auth/realms/${REALM}/protocol/openid-connect/token \
        -H "Authorization: Bearer ${ACCESS_TOKEN}" \
        --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
        --data "audience=${CLIENT_ID}" \
        --data "permission=${RESOURCE_NAME}" \
        --data "response_mode=permissions" \
        | jq

        # Result by resourceName:
        [
        {{code}

        "scopes": [
        "scope1",
        "scope2"
        ],
        "rsid": "8f6ccd63-8399-4266-aae4-a919c9d8776d",
        "rsname": "test"

        
        

        }
        ]
        ```

      Even that i have assigned just scope1 to the test resource. When calling the permissions endpoint using the resourceName, both scopes are retrieved.

      Version

      23.0.0

      Expected behavior

      Only the scope assigned to the user should be retrieved by resource name or resource id.

      Actual behavior

      Both scopes are retrieved when using resource name.

      How to Reproduce?

      Create a confidential client with authorization enabled. Create one resource and 2 scopes. Assigned both scopes to the resource.
      Give a permission ticket to the user using the resource and one of the scopes.

      Anything else?

      No response

            psilva@redhat.com Pedro Igor Craveiro
            pvlha Pavel Vlha
            Keycloak Core IAM
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: