Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-1626

(7.2.x) Realm partial export does no permission/role check

XMLWordPrintable

    • Hide

      1. Create a new user (without any group or role assignment so it has no privileges)
      2. Get an Access Token for this user via the token endpoint (/auth/realms/<realmName>/protocol/openid-connect/token)
      3. Trigger a partial export via HTTP POST /auth/admin/realms/<realmName>/partial-export?exportGroupsAndRoles=true&exportClients=true and the Access Token of the unprivileged user as authorization

      Current behavior:
      A realm export is returned.

      Expected behavior:
      A HTTP 403 Forbidden is returned, as export should only be possible for realm admin user.

      Show
      1. Create a new user (without any group or role assignment so it has no privileges) 2. Get an Access Token for this user via the token endpoint (/auth/realms/<realmName>/protocol/openid-connect/token) 3. Trigger a partial export via HTTP POST /auth/admin/realms/<realmName>/partial-export?exportGroupsAndRoles=true&exportClients=true and the Access Token of the unprivileged user as authorization Current behavior: A realm export is returned. Expected behavior: A HTTP 403 Forbidden is returned, as export should only be possible for realm admin user.
    • Keycloak Sprint 13, Keycloak Sprint 14

      A realm export should only be possible for realm admin users.

              mkanis Martin Kanis
              mkanis Martin Kanis
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: