Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-1626

(7.2.x) Realm partial export does no permission/role check

    XMLWordPrintable

Details

    • Hide

      1. Create a new user (without any group or role assignment so it has no privileges)
      2. Get an Access Token for this user via the token endpoint (/auth/realms/<realmName>/protocol/openid-connect/token)
      3. Trigger a partial export via HTTP POST /auth/admin/realms/<realmName>/partial-export?exportGroupsAndRoles=true&exportClients=true and the Access Token of the unprivileged user as authorization

      Current behavior:
      A realm export is returned.

      Expected behavior:
      A HTTP 403 Forbidden is returned, as export should only be possible for realm admin user.

      Show
      1. Create a new user (without any group or role assignment so it has no privileges) 2. Get an Access Token for this user via the token endpoint (/auth/realms/<realmName>/protocol/openid-connect/token) 3. Trigger a partial export via HTTP POST /auth/admin/realms/<realmName>/partial-export?exportGroupsAndRoles=true&exportClients=true and the Access Token of the unprivileged user as authorization Current behavior: A realm export is returned. Expected behavior: A HTTP 403 Forbidden is returned, as export should only be possible for realm admin user.
    • Keycloak Sprint 13, Keycloak Sprint 14

    Description

      A realm export should only be possible for realm admin users.

      Attachments

        Activity

          People

            mkanis Martin Kanis
            mkanis Martin Kanis
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: