-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trying to enable fine-grained user permissions results in 404 error #951
Comments
I can confirm this behavior when using:
|
I've checked the documentation and the sample files in the testing directory but couldn't get it to work. I always receive a 404 or 400 error. What I'm trying to do is create a policy over the entire Users resource. A specific client named MyTestClient gets the impersonate scope. Test-JSON (works when using as initial import file {
"id": "MyTestRealm",
"realm": "MyTestRealm",
"clients": [
{
"clientId": "realm-management",
"enabled": true,
"authorizationServicesEnabled": true,
"authorizationSettings": {
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "Users",
"scopes": [
{
"name": "user-impersonated"
},
{
"name": "manage-group-membership"
},
{
"name": "view"
},
{
"name": "impersonate"
},
{
"name": "map-roles"
},
{
"name": "manage"
}
]
}
],
"policies": [
{
"name": "Impersonate-Clients",
"description": "",
"type": "client",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"clients": "[\"MyTestClient\"]"
}
},
{
"name": "manage.permission.users",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Users\"]",
"scopes": "[\"manage\"]"
}
},
{
"name": "view.permission.users",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Users\"]",
"scopes": "[\"view\"]"
}
},
{
"name": "map-roles.permission.users",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Users\"]",
"scopes": "[\"map-roles\"]"
}
},
{
"name": "manage-group-membership.permission.users",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Users\"]",
"scopes": "[\"manage-group-membership\"]"
}
},
{
"name": "user-impersonated.permission.users",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Users\"]",
"scopes": "[\"user-impersonated\"]"
}
},
{
"name": "admin-impersonating.permission.users",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Users\"]",
"scopes": "[\"impersonate\"]",
"applyPolicies": "[\"Impersonate-Clients\"]"
}
}
],
"scopes": [
{
"name": "manage"
},
{
"name": "view"
},
{
"name": "map-roles"
},
{
"name": "impersonate"
},
{
"name": "user-impersonated"
},
{
"name": "manage-group-membership"
}
],
"decisionStrategy": "UNANIMOUS"
}
},
{
"clientId": "MyTestClient",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"*"
],
"webOrigins": [
"*"
],
"standardFlowEnabled": true,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"frontchannelLogout": true,
"protocol": "openid-connect",
"fullScopeAllowed": true
}
]
} |
Had the same issue with: By enabling logs with
I was able to find that
which led me to the conclusion that actually keycloak-cli should be more strict in terms of applying changes to realm-management client.
That will prevent keycloak-cli from removing some relevant resources from realm-management client Probably adding client property authorizationServicesEnabled: true won't harm as well.
Please, at least update the documentation. The current version of docs doesn't provide enough context. |
@danm-de, were you able to solve the problem? I have the same issue with token impersonation configuration. |
Nope 😞 |
@danm-de experiencing the same issue with creating a new policy over the User Resource. Did you find a workaround? |
Nope. We use an The keycloak:
image: docker.io/bitnami/keycloak:$KEYCLOAK_VERSION
restart: always
depends_on:
- postgresql ## replace with your database / storage ##
environment:
KEYCLOAK_ADMIN_USER: "admin"
KEYCLOAK_ADMIN_PASSWORD: "...."
KEYCLOAK_MANAGEMENT_USER: "manager"
KEYCLOAK_MANAGEMENT_PASSWORD: "...."
KEYCLOAK_ENABLE_HEALTH_ENDPOINTS: "true"
KC_METRICS_ENABLED: "true"
KC_FEATURES: "token-exchange,admin-fine-grained-authz"
KEYCLOAK_EXTRA_ARGS: "--import-realm"
volumes:
- ./path/to/your/import-realm.json:/opt/bitnami/keycloak/data/import/import-realm.json
ports:
- "8081:8080" The CONFIG-CLI entry looks like this: keycloak-config-cli:
image: docker.io/bitnami/keycloak-config-cli:$KEYCLOAK_CONFIG_CLI_VERSION
restart: no
depends_on:
- keycloak
environment:
KEYCLOAK_URL: "http://keycloak:8080/"
KEYCLOAK_USER: "admin"
KEYCLOAK_PASSWORD: "...."
KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true"
KEYCLOAK_AVAILABILITYCHECK_TIMEOUT: "120s"
IMPORT_FILES_LOCATIONS: "/config/*"
IMPORT_VARSUBSTITUTION_ENABLED: "true"
IMPORT_MANAGED_CLIENTAUTHORIZATIONPOLICIES: "full"
IMPORT_MANAGED_CLIENTAUTHORIZATIONSCOPES: "full"
IMPORT_MANAGED_CLIENTAUTHORIZATIONRESOURCES: "full"
volumes:
- ./path/to/your/config:/config |
Hi @pbromb @tangkevkev did you find a workaround? you can ensure that at your end or perhaps share the logs in detail!
{
"realm": "realmWithClientsForAuthzGrantedPolicies",
"enabled": true,
"groups": [
{
"name": "client-admin-group"
}
],
"clients": [
{
"id": "50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7",
"clientId": "fine-grained-permission-client-id",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": true,
"protocol": "openid-connect"
},
{
"clientId": "z-fine-grained-permission-client-without-id",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": true,
"protocol": "openid-connect"
},
{
"clientId": "realm-management",
"name": "${client_realm-management}",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": true,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"authorizationServicesEnabled": true,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": false,
"nodeReRegistrationTimeout": 0,
"defaultClientScopes": [
"web-origins",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"authorizationSettings": {
"allowRemoteResourceManagement": false,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "client.resource.$z-fine-grained-permission-client-without-id",
"type": "Client",
"ownerManagedAccess": false,
"scopes": [
{
"name": "view"
},
{
"name": "map-roles-client-scope"
},
{
"name": "configure"
},
{
"name": "map-roles"
},
{
"name": "manage"
},
{
"name": "token-exchange"
},
{
"name": "map-roles-composite"
},
{
"name": "keycloak-config-cli-2"
}
]
},
{
"name": "client.resource.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7",
"type": "Client",
"ownerManagedAccess": false,
"scopes": [
{
"name": "view"
},
{
"name": "map-roles-client-scope"
},
{
"name": "configure"
},
{
"name": "map-roles"
},
{
"name": "manage"
},
{
"name": "token-exchange"
},
{
"name": "map-roles-composite"
},
{
"name": "keycloak-config-cli-2"
}
]
}
],
"policies": [
{
"name": "clientadmin-policy",
"type": "group",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"groups": "[{\"path\":\"/client-admin-group\",\"extendChildren\":false}]"
}
},
{
"name": "manage.permission.client.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7\"]",
"scopes": "[\"manage\"]"
}
},
{
"name": "configure.permission.client.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7\"]",
"scopes": "[\"configure\"]",
"applyPolicies": "[\"clientadmin-policy\"]"
}
},
{
"name": "view.permission.client.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7\"]",
"scopes": "[\"view\"]"
}
},
{
"name": "map-roles.permission.client.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7\"]",
"scopes": "[\"map-roles\"]"
}
},
{
"name": "map-roles-client-scope.permission.client.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7\"]",
"scopes": "[\"map-roles-client-scope\"]"
}
},
{
"name": "map-roles-composite.permission.client.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7\"]",
"scopes": "[\"map-roles-composite\"]"
}
},
{
"name": "token-exchange.permission.client.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7\"]",
"scopes": "[\"token-exchange\"]"
}
},
{
"name": "keycloak-config-cli-2.permission.client.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.50eadf70-6e80-4f1d-ba0d-85cafa3c1dc7\"]",
"scopes": "[\"keycloak-config-cli-2\"]"
}
},
{
"name": "manage.permission.client.$z-fine-grained-permission-client-without-id",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.$z-fine-grained-permission-client-without-id\"]",
"scopes": "[\"manage\"]"
}
},
{
"name": "configure.permission.client.$z-fine-grained-permission-client-without-id",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.$z-fine-grained-permission-client-without-id\"]",
"scopes": "[\"configure\"]",
"applyPolicies": "[\"clientadmin-policy\"]"
}
},
{
"name": "view.permission.client.$z-fine-grained-permission-client-without-id",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.$z-fine-grained-permission-client-without-id\"]",
"scopes": "[\"view\"]"
}
},
{
"name": "map-roles.permission.client.$z-fine-grained-permission-client-without-id",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.$z-fine-grained-permission-client-without-id\"]",
"scopes": "[\"map-roles\"]"
}
},
{
"name": "map-roles-client-scope.permission.client.$z-fine-grained-permission-client-without-id",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.$z-fine-grained-permission-client-without-id\"]",
"scopes": "[\"map-roles-client-scope\"]"
}
},
{
"name": "map-roles-composite.permission.client.$z-fine-grained-permission-client-without-id",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.$z-fine-grained-permission-client-without-id\"]",
"scopes": "[\"map-roles-composite\"]"
}
},
{
"name": "token-exchange.permission.client.$z-fine-grained-permission-client-without-id",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.$z-fine-grained-permission-client-without-id\"]",
"scopes": "[\"token-exchange\"]"
}
},
{
"name": "keycloak-config-cli-2.permission.client.$z-fine-grained-permission-client-without-id",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"client.resource.$z-fine-grained-permission-client-without-id\"]",
"scopes": "[\"keycloak-config-cli-2\"]"
}
}
],
"scopes": [
{
"name": "manage"
},
{
"name": "view"
},
{
"name": "map-roles"
},
{
"name": "map-roles-client-scope"
},
{
"name": "map-roles-composite"
},
{
"name": "configure"
},
{
"name": "token-exchange"
},
{
"name": "keycloak-config-cli-2"
}
],
"decisionStrategy": "UNANIMOUS"
}
}
]
} |
@AssahBismarkabah I'm also still seeing the issue (also with keycloak-config-cli: 6.1.6 I noted though, that it only manifests with some realm configurations and found another workaround. Make sure that the identity provider permissions are enabled by defining a resource like this:
I don't know why this works but I noted that the IdP permissions are enabled before the authorization settings are configured which seems to bring kc in the right state.
Note that I'm otherwise also only defining a |
Current Behavior
When I enable fine-grained permissions to allow a client direct naked impersonation manually and compare the realm exports it adds the fields
and
to the realm export's realm-management client.
When I try to add a realm-management client to my keycloak-config-cli.json with these fields the run (on Kubernetes with the bitnami helm chart) results in a 404 error when it tries to call the /clients/.../authz/resource-server/settings endpoint, presumably because at this time fine-grained permissions are not enabled yet in the existing configuration on the Keycloak.
Expected Behavior
When authorizationServicesEnabled is false on the existing client keycloak-config-cli probably should not try to get the existing settings but just set them or at the very least not consider the 404 fatal.
Steps To Reproduce
Environment
Anything else?
No response
The text was updated successfully, but these errors were encountered: