I have a KC instance where I have some clients with the Authorization option enabled. All works well, but, acting as a client, I need this specific information: Given a certain resource with specific scopes I want the list of users who have accesse to this resource.
I've explored the available APIs multiple times without success. Is there a way to obtain this information or do I necessary need to extends KC capabilities with a dedicated SPI ?
It is possible by Admin rest-API for finding a specific resource's all of user.
This steps
I am using Keycloak v18.0.2 (if use v19/v20, just remove auth in API endpoint)
#1 Get specific client uuid
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}
#2 Get specific resource uuid
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/{resource-uuid}
#3 Get specific permission of #2
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/{resource-uuid}/permissions
#4 Get policy of #3
Get policy and permission list
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy
Get policy of specific permission
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{permission-uuid}/associatedPolicies
#5 Get user list of #4
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
The user list will return in body of response
{
"id": {policy-uuid},
"name": {policy-name},
"config": {
"users": "[array of {user-uuid}]"
}
}
Demo by UI
I will find all of user in resource1 of my-test client.
It assosicated permission1
permissions1 apply policy1
policy's user two users
Demo by API
Same step by APIs
Find client uuid
Find a specific resource uuid
Get specific resource
Get permission and policy list
Get associated policy for permission
Get user list for policy
That user uuid matched user list
So you can find resource1's user are user1 and user3
Unfortunately, you cannot. Keycloak authorization mechanism examines only when it has input. Here your input is User.
To do that, you have to ask for all users. This is not practical bcz there might be thousand of users.
Resource servers (applications or services serving protected resources) usually rely on some kind of information to decide if access should be granted to a protected resource. For RESTful-based resource servers, that information is usually obtained from a security token, usually sent as a bearer token on every request to the server. For web applications that rely on a session to authenticate users, that information is usually stored in a user’s session and retrieved from there for each request
Related
I have two realms, a public webapp and an extranet where only employees can access.
I have tried setting group policies.
When I try to connect with an non-employee user, keycloak still returns the access token.
What did I miss?
EDIT.
I made a mistake, I only have 2 clients.
You have to limit the access granted to your access token to achieve this. There are three ways to do it (that I know of)
Audience: Allows listing the resource providers that should accept an access token.
Roles: Through controlling what roles a client has access to, it is
possible to control what roles an application can access on behalf
of the user.
Scope: In Keycloak, scopes are created through client scopes, and an
application can only have access to a specific list of scopes.
You can look at this example which explains the flow on how to achieve this using role based method. You can refer this as well.
We have one realm with many users and multiple OIDC clients configured. We would like to connect another application (OIDC Client) to the realm. Unfortunately, the client cannot check for any attributes or roles to be present.
How can I configure Keycloak to authenticate with a specific OIDC-client but return failing authentication if users have not a specific role?
Generally this type of option will not work, since authorization redirects occur before you know who the user is, and therefore before you know which roles are involved.
WHAT I WOULD DO
Make an authorization redirect perform only the following job:
Signing in the user and returning the user id (sub claim), along with perhaps a couple of scopes
Then manage roles within your app - the second app should call a Web API that does this:
Get claims from the access token, and also from other sources, then use them for identification and authorization
If a user authenticates but is not entitled to use a particular app, detect this via an API call, then present an Access Denied page in the app after login.
To reach this you should implement the AuthenticatorFactory and Authenticator interfaces of Keycloak. Look here for more infos.
In the authenticate() method you will write something similar to this:
If(client == yourClient){
// Check for roles
}
Otherwise, expected behaviour in case of failure.
I am trying to understand the use of access tokens to authorize an API fronted by API Gateway.
My current understanding of the process is as follows:
After setting up a Cognito User Pool, I can define a resource server and associated scopes (e.g. https://wibble-api.com/read, https://wibble-api.com/full).
Then, I can select the allowed custom scopes for a user pool app client.
In AWS Gateway, I can create a Cognito Authorizer to authorize incoming requests.
For each AWS Gateway resource, I can go into the Method Request and select the Cognito Authorizer and determine which OAuth scopes are necessary in order to be able to execute the API method e.g. I can enter https://wibble-api.com/read, https://wibble-api.com/full to indicate that either of those two scopes are sufficient to be allowed to execute the API resource.
When using the hosted UI, the scope parameter will include all of the allowed scopes configured for that app client, and the returned access token (if using implicit grant) will contain those scopes as part of the JWT.
What I don't understand is, I have what must be a very common scenario where I want to be able to give the read-only scope to, say, a user that hasn't paid for the service, and the full scope to a user that has paid. Yet it looks like I would need to have two separate app clients if I'm going to be using the Hosted UI, because there doesn't seem to be a way to return different scopes depending on, say, what group the user has been assigned, or some other metadata in their user profile such as department, etc. I won't know what sort of user they are until after they have been authenticated, but I still need to enter the exact scope when I am authenticating. Is there a solution for this, please?
I'm having some problems to configure a keycloak server. I created two roles, two groups (one per role) and two users (one in each group). Now I'm trying to give the authorization to access to a specific path (e.g http://localhost:8080/api/private/premium) only to one of my groups.
I created (under Authorization tab) a resource with the URI that I want to protect, a policy (type group) and a permission. I also use the Evaluate tab to test this configuration and I get the correct result: result DENY for the user in the group NOT associated with the policy, result PERMIT for the user in the other group. So I tried to test the configuration using POSTMAN:
1_ get the access tokens of my two users (http://localhost:7070/auth/realms/REST_realm/protocol/openid-connect/token).
2_ get the protected resource (http://localhost:8080/api/private/premium), first with the unauthorized user, then with the authorized.
The problem is that I get the resource correctly in both cases (I was expecting an error message for the call with the authentication token of the unauthorized user).
Any suggestion?
I'm trying to figure out how to use the Azure Graph API to query a user's full name (first and last) from a given username. I understand I can do this with the following Graph API call...
https://graph.windows.net/myorganization/users/{user_id}?api-version
However, I am not sure how I go about getting an access token to use with this, because this process will be called without a user logging in, which is usually how we obtain an access token.
Is there anyway I can pass a username/password to a given URL using cURL or something and obtain an access token that way, so it is done behind-the-scenes?
There are two main authentication methods which are supported by OAuth 2:
Authorization Code Grant Flow
Client Credentials Grant Flow
The first flow requires a user agent to be present to sign into the client service and results in a delegated token. The second method does not require a user to sign in, as it only authenticates using the client secret; this results in an app only token.
If you want to create a background service that captures data from the AAD Graph API, you can absolutely do this using the Client Credentials Grant Flow, which does not require a user to be present at any point during the authentication flow.
You simply need to configure your application to to have app only scopes. Read here: Permission scopes | Graph API concepts. App only scopes all require tenant administrators to consent to the application in order to get access to data.
Finally, I feel I must mention that there is another less used flow specified in the OAuth 2 spec: Resource Owner Password Credentials Grant. This flow specifies how a client application who has knowledge of a user's username and password could directly pass those parameters and get an access token on behalf of the user. However using this flow is not good practice at all.
The resource owner password credentials grant type is suitable in
cases where the resource owner has a trust relationship with the
client, such as the device operating system or a highly privileged
application. The authorization server should take special care when
enabling this grant type and only allow it when other flows are not
viable.
We support this in our V1 endpoint, but not in our new V2 endpoint. You can read this blog to learn more.