Importing Authorization Settings: Scopes are not bound to Resources | Groups not bound to Group Policies

[ReginaldoSantos]

Current Behavior

While importing clients with Authorization Settings sometimes Scopes are not bound to Resources and sometimes Groups are not bound to Group Policies. Then, during authorization, users receive HTTP 403 by wrong configuration.

Expected Behavior

The creation of client Authorization Settings must ensure correct binding between Authorization elements.

I guess the correct order would be:

1. Groups must exist before Authorization Settings are created;

2. Scopes must be created before Resources;

3. Resources and Policies must be created before Permissions;

( probably some order or intermediary commit must be enforced )

Steps To Reproduce

1. Import a simple realm having Groups and containing a client with Authorization Settings enabled;

2. Authorization Settings have pre-defined: scopes, resource (with authorization scopes), group policies and permission (bound to resource and group policies);

3. Resource is bound to Authorization Scopes;

4. Permission is bound to Resources and Group Policies;

Following goes a simplified realm json with the mentioned configuration:


{
    "id": "simple",
    "realm": "simple",
    "displayName": "Simple Realm",
    "enabled": true,
    "clients":
    [
      {
        "clientId": "simple-client",
        "name": "simple-client",
        "description": "Backend client",
        "enabled": true,
        "clientAuthenticatorType": "client-secret",
        "secret": "nv6V42dsKJNotHereMyFriendmzZqabcd",
        "redirectUris":
        [],
        "webOrigins":
        [],
        "notBefore": 0,
        "bearerOnly": false,
        "consentRequired": false,
        "standardFlowEnabled": true,
        "implicitFlowEnabled": false,
        "directAccessGrantsEnabled": true,
        "serviceAccountsEnabled": true,
        "authorizationServicesEnabled": true,
        "publicClient": false,
        "frontchannelLogout": false,
        "protocol": "openid-connect",
        "attributes":
        {
          "access.token.lifespan": "300",
          "use.refresh.tokens": "true",
          "client_credentials.use_refresh_token": "true"
        },
        "authorizationSettings":
        {
          "allowRemoteResourceManagement": false,
          "policyEnforcementMode": "ENFORCING",
          "decisionStrategy": "AFFIRMATIVE",
          "scopes":
          [
            {
              "name": "GET",
              "displayName": "GET"
            },
            {
              "name": "POST",
              "displayName": "POST"
            },
            {
              "name": "PUT",
              "displayName": "PUT"
            },
            {
              "name": "DELETE",
              "displayName": "DELETE"
            }
          ],
          "resources":
          [
            {
              "name": "Default Resource",
              "type": "urn:simple-client:resources:default",
              "ownerManagedAccess": false,
              "uris":
              [
                "/*"
              ],
              "scopes":
              [
                {
                  "name": "DELETE"
                },
                {
                  "name": "GET"
                },
                {
                  "name": "POST"
                },
                {
                  "name": "PUT"
                }
              ]
            }
          ],
          "policies":
          [
            {
              "name": "Admin Group Policy",
              "type": "group",
              "logic": "POSITIVE",
              "decisionStrategy": "UNANIMOUS",
              "config":
              {
                "groups": "[{\"path\":\"/Employee/Admin\",\"extendChildren\":false}]"
              }
            },
            {
              "name": "Default Resource Permission",
              "type": "resource",
              "logic": "POSITIVE",
              "decisionStrategy": "AFFIRMATIVE",
              "config":
              {
                "defaultResourceType": "urn:simple-client:resources:default",
                "applyPolicies": "[\"Admin Group Policy\"]"
              }
            }
          ]
        }
      }
    ],
    "groups":
    [
      {
        "name": "Employee",
        "path": "/Employee",
        "attributes":
        {},
        "realmRoles":
        [],
        "clientRoles":
        {},
        "subGroups":
        [
          {
            "name": "Admin",
            "path": "/Employee/Admin",
            "attributes":
            {},
            "realmRoles":
            [],
            "clientRoles":
            {},
            "subGroups":
            []
          },
          {
            "name": "NotAdmin",
            "path": "/Employee/NotAdmin",
            "attributes":
            {},
            "realmRoles":
            [],
            "clientRoles":
            {},
            "subGroups":
            []
          }
        ]
      }
    ],
    "users":
    [
      {
        "username": "admin",
        "enabled": true,
        "totp": false,
        "emailVerified": true,
        "credentials":
        [
          {
            "type": "password",
            "userLabel": "initial",
            "value": "admin"
          }
        ],
        "requiredActions":
        [
          "UPDATE_PASSWORD"
        ],
        "realmRoles":
        [],
        "notBefore": 0,
        "groups":
        [
          "/Employee/Admin"
        ]
      }
    ]
  }

Environment

• Keycloak Version: 21.1.2
• keycloak-config-cli Version: 5.9.0-21.1.1
• Java Version: 11

Anything else?

No response