Keycloak uma-grant type tickets for service accounts do not seem to work with policies

心已入冬 提交于 2021-02-09 05:41:32

问题


I am trying to use the Keycloak AuthzClient to register resources and related permissions in a resource server.

I have a resource server "resourceserver" with authz service enabled.

Using the AuthzClient, initialized with the json file containing the resource server's client id and secret, I'm able to obtain a pat.

    ...
    authzClient.obtainAccessToken().getToken();
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("myresource");
    resource.setUris(new HashSet<>(Collections.singletonList("urn:resourceserver:resourcetype1:myresource")));
    resource.setOwnerManagedAccess(true);
    resource.setType("urn:resourceserver:resourcetype1");
    resource.addScope("read", "write");
    resource = authzClient.protection(pat).resource().create(resource);


    UmaPermissionRepresentation permissionRepresentation = new UmaPermissionRepresentation();
    permissionRepresentation.setName("myresourcepermissions");
    permissionRepresentation.setDescription("foo");
    permissionRepresentation.addRole("somerole");
    UmaPermissionRepresentation result = authzClient.protection(pat).policy(resource.getId()).create(permissionRepresentation)

After executing this code, I can see, in the keycloak admin UI, that the resource has been created, and the scopes, however the policy/permission don't seem to show up.

I believe it is probably intended, as this keycloak admin UI only shows policies of types client, role, js, etc., but not "uma" which is what UmaPermissionRepresentation creates.

I can however see that policy exists in Keycloak by querying authz/protection/uma-policy with my pat.

So there is something there. Now testing it. I created a regular user and assigned it the realm role somerole. Using this user and some arbitrary public client, I'm able to get an RPT.

First getting an access token using the password grant:

grant_type=password&username=joe&password=password&client_id=somepublicclient

Then exchanging that for an RPT:

grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=resourceserver

The RPT comes back and if I view its contents, I can see the authorization block giving me access to the myresource resource.

However, when I try a similar flow with a service account (to which I also granted the somerole role)using the client credentials flow to obtain the initial access token:

grant_type=client_credentials&client_id=serviceaccount1&client_secret=77c1ffa8-0ea8-420c-ad45-e1a69a03838d

I am able to obtain an RPT, but that RPT does not contain myresource in the authorization/permission block, only the Default resource.

I have been trying to understand why that is. I have also tried using the .addClient("serviceaccount1") or even .addUser("service-account-serviceaccount1") in the UmaPermissionRepresentation, but still, the policy doesn't seem to kick in and my service account does not have access to the resource.

This is using Keycloak 4.8.0.Final.

Note: using the keycloak admin client, I am able to create policies/permissions that actually make this work; but in my environment this would causes other problems because of the roles I would need to assign to the admin client (like viewing all clients to retrieve an id etc.)


回答1:


I have the same problem with KeyCloak 11.0.2. Shared resources do not end up in the permission tickets of service accounts. Service accounts are explicitly excluded in the authorization token service. Since sharing resources with service accounts is possible, this seems inconsistent.

However, you can work around this by explicitly setting the azp claim to something other than your client_id via a protocol mapper on your client.

.



来源:https://stackoverflow.com/questions/54099677/keycloak-uma-grant-type-tickets-for-service-accounts-do-not-seem-to-work-with-po

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!