libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

[KEYCLOAK-9666] - Entitlement request with service account results in server error

Browse source
This commit is contained in:
Pedro Igor 2019-12-30 15:53:08 -03:00 committed by Stian Thorgersen
parent 658a083a0c
commit ed2d392a3d
3 changed files with 64 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
authz/client/src/main/java/org/keycloak/authorization/client/resource/AuthorizationResource.java
View file

@ -74,7 +74,9 @@ public class AuthorizationResource {
Callable<AuthorizationResponse> callable = new Callable<AuthorizationResponse>() { Callable<AuthorizationResponse> callable = new Callable<AuthorizationResponse>() {
@Override @Override
public AuthorizationResponse call() throws Exception { public AuthorizationResponse call() throws Exception {
if (request.getAudience() == null) {
request.setAudience(configuration.getResource()); request.setAudience(configuration.getResource());
}
HttpMethod<AuthorizationResponse> method = http.<AuthorizationResponse>post(serverConfiguration.getTokenEndpoint()); HttpMethod<AuthorizationResponse> method = http.<AuthorizationResponse>post(serverConfiguration.getTokenEndpoint());

6
services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
View file

@ -81,6 +81,7 @@ import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ErrorResponseException; import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls; import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.resources.Cors; import org.keycloak.services.resources.Cors;
import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.RootAuthenticationSessionModel; import org.keycloak.sessions.RootAuthenticationSessionModel;
@ -283,7 +284,12 @@ public class AuthorizationTokenService {
RootAuthenticationSessionModel rootAuthSession = keycloakSession.authenticationSessions().getRootAuthenticationSession(realm, userSessionModel.getId()); RootAuthenticationSessionModel rootAuthSession = keycloakSession.authenticationSessions().getRootAuthenticationSession(realm, userSessionModel.getId());
if (rootAuthSession == null) { if (rootAuthSession == null) {
if (userSessionModel.getUser().getServiceAccountClientLink() == null) {
rootAuthSession = keycloakSession.authenticationSessions().createRootAuthenticationSession(userSessionModel.getId(), realm); rootAuthSession = keycloakSession.authenticationSessions().createRootAuthenticationSession(userSessionModel.getId(), realm);
} else {
// if the user session is associated with a service account
rootAuthSession = new AuthenticationSessionManager(keycloakSession).createAuthenticationSession(realm, false);
}
} }
AuthenticationSessionModel authSession = rootAuthSession.createAuthenticationSession(targetClient); AuthenticationSessionModel authSession = rootAuthSession.createAuthenticationSession(targetClient);

54
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java
View file

@ -2038,6 +2038,60 @@ public class EntitlementAPITest extends AbstractAuthzTest {
assertEquals("Resource A", permissions.iterator().next().getResourceName()); assertEquals("Resource A", permissions.iterator().next().getResourceName());
} }
@Test
public void testClientToClientPermissionRequest() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization();
JSPolicyRepresentation policy = new JSPolicyRepresentation();
policy.setName(KeycloakModelUtils.generateId());
policy.setCode("$evaluation.grant();");
authorization.policies().js().create(policy).close();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Sensors");
try (Response response = authorization.resources().create(resource)) {
response.readEntity(ResourceRepresentation.class);
}
ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
permission.setName("View Sensor");
permission.addPolicy(policy.getName());
authorization.permissions().resource().create(permission).close();
ClientRepresentation otherClient = new ClientRepresentation();
otherClient.setClientId("serviceB");
otherClient.setServiceAccountsEnabled(true);
otherClient.setSecret("secret");
otherClient.setPublicClient(false);
getRealm().clients().create(otherClient);
Map<String, Object> credentials = new HashMap<>();
credentials.put("secret", "secret");
AuthzClient authzClient = AuthzClient
.create(new Configuration(suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth",
getRealm().toRepresentation().getRealm(), otherClient.getClientId(),
credentials, getAuthzClient(AUTHZ_CLIENT_CONFIG).getConfiguration().getHttpClient()));
AuthorizationRequest request = new AuthorizationRequest();
request.setAudience(RESOURCE_SERVER_TEST);
AuthorizationResponse response = authzClient.authorization().authorize(request);
assertNotNull(response.getToken());
}
private void testRptRequestWithResourceName(String configFile) { private void testRptRequestWithResourceName(String configFile) {
Metadata metadata = new Metadata(); Metadata metadata = new Metadata();