Can't get the User Permission list using Keycloak token. Getting error like keycloak.exceptions.KeycloakAuthorizationConfigError: Keycloak settings not found. Load Authorization Keycloak settings.
Iam using python-keycloak
Keycloak Configuration
keycloak_openid = KeycloakOpenID(server_url=config.server_url,
client_id=config.client_id,
realm_name=config.realm_name,
client_secret_key=config.client_secret_key,
verify=True)
keycloak_openid.load_authorization_config(os.path.join(local_path, 'Dynamic_Client-authz-config.json'))
userinfo = keycloak_openid.get_permissions(token, method_token_info='introspect')
print(userinfo)
Key Cloak Setting File
{
"allowRemoteResourceManagement": false,
"policyEnforcementMode": "PERMISSIVE",
"resources": [
{
"name": "Default Resource",
"type": "urn:Dynamic_Client:resources:default",
"ownerManagedAccess": false,
"attributes": {},
"_id": "2c2a046f-84b2-42a8-a028-c6ae56ad63a1",
"uris": [
"/*"
]
}
],
"policies": [
{
"id": "f570c7e7-8168-4fb8-b05c-4df8be9398d0",
"name": "Default Policy",
"description": "A policy that grants access only for users within this realm",
"type": "js",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {
"code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
}
},
{
"id": "836d2453-ad1c-4482-b726-49875a8ba64f",
"name": "Default Permission",
"description": "A permission that applies to the default resource type",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"defaultResourceType": "urn:Dynamic_Client:resources:default",
"applyPolicies": "[\"Default Policy\"]"
}
}
],
"scopes": []
}
Please find the solution for my issue
so I am assuming you are looking for the roles?
If so use the introspect token , that worked for me
Introspect Token
token_info = keycloak_openid.introspect(token['access_token'])
print(token_info['resource_access']['client-name']['roles'])
I am able to get the permissions using UMA (mentioned here):
# Get UMA-permissions by token
token = keycloak_openid.token("user", "password")
permissions = keycloak_openid.uma_permissions(token['access_token'])
# Get UMA-permissions by token with specific resource and scope requested
token = keycloak_openid.token("user", "password")
permissions = keycloak_openid.uma_permissions(token['access_token'], permissions="Resource#Scope")
# Get auth status for a specific resource and scope by token
token = keycloak_openid.token("user", "password")
auth_status = keycloak_openid.has_uma_access(token['access_token'], "Resource#Scope")
Related
I am using WSO2 identity server 5.7.0, i am calling the api https://[url]:[port]/t/tenantName/scim2/Users GET. The response received is the following with HTTP status 200:
{"totalResults":0,"startIndex":1,"itemsPerPage":0,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"]}
However, the user is not being returned, the tenant has its own admin user only. The expected response (working fine on another environment) is:
{
"totalResults": 1,
"startIndex": 1,
"itemsPerPage": 1,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"Resources": [
{
"emails": [
"user1#gmail.com"
],
"meta": {
"created": "2023-01-05T13:01:12Z",
"lastModified": "2023-01-05T13:01:12Z"
},
"roles": [
{
"type": "default",
"value": "Internal/subscriber,Internal/creator,Internal/publisher,Internal/everyone,admin"
}
],
"name": {
"givenName": "user1",
"familyName": "user1"
},
"id": "2e86d8e6-7db8-4600-a8bc-f3h1d54d8h6a",
"userName": "user1"
}
]
}
How to fix this? Are there any configuration that should be changed to return all users?
Note: SCIM is enabled in user-mgt.xml file
Recreating a new tenant after enabling the SCIM solved the issue, but the issue remains for the tenant that was created prior to enabling the SCIM.
I have setup AWS Cognito with an OIDC federated identity provider. When logging in through the federated identity provider, two tokens are generated - ID token and access token. ID token contains the user specific claims where the access token contains the group specific claim.
Access Token
{
"iss": "identity provider URL",
"nbf": 1669183553,
"iat": 1669183553,
"exp": 1669187153,
"aud": [
"group",
"identity provider URL/resources"
],
"scope": [
"openid",
"email",
"profile",
"group"
],
"amr": [
"external"
],
"client_id": "...............",
"sub": "..........",
"auth_time": 1669183545,
"idp": "..............",
"username": "John Doe",
"group": [
"admin"
],
"tenant": "Tenant",
"sid": "xxxxxxxxxxxxxxxx"
}
ID Token
{
"iss": "identity provider URL",
"nbf": 1669183553,
"iat": 1669183553,
"exp": 1669183853,
"aud": "..............",
"amr": [
"external"
],
"at_hash": "PlXvXPmIGRyX6e8V0U67BQ",
"sid": "xxxxxxxxxxxxxxxx",
"sub": "...............",
"auth_time": 1669183545,
"idp": "..................",
"username": "johndoe",
"name": "John Doe",
"email": "johndoe#gmail.com"
}
The nameinfo endpoint of the OIDC identity provider contains some user specific information, but not the group information.
I have tried using pre token generation lambda trigger but the event parameter also does not contain access token specific information.
Is there any other way by which I can get the access token claims to add it to the token generated by AWS Cognito?
I've been running my web API under AWS Windows VM with IIS using Asp.Net Core and IdentityServer4.
The Identity Server is running on the same application of my secured controller.
This is running perfectly with no issue using my external domain of 'http://{my-external-domain}'.
My StartUp.cs relevant portion looks like the following:
.AddJwtBearer(options =>
{
options.Authority = xyzConfig.Authority; //http://{my-external-domain}
options.Audience = "xyz";
options.RequireHttpsMetadata = false;
I'm using http://{my-external-domain}/connect/token and then I can request the authorized content successfully.
However, when setting this flow using the AWS PrivateLink some combinations aren't working including the desired one of http://{my-internal-domain} as the issuer/authority and the secured controller.
Using the StartUp settings above I get a 500 error saying the following:
IOException: IDX20804: Unable to retrieve document from: 'http://{my-internal-domain}/.well-known/openid-configuration'.
However, from the same machine it's possible to retrieve this information:
{
"issuer": "http://{my-internal-domain}",
"jwks_uri": "http://{my-internal-domain}/.well-known/openid-configuration/jwks",
"authorization_endpoint": "http://{my-internal-domain}/connect/authorize",
"token_endpoint": "http://{my-internal-domain}/connect/token",
"userinfo_endpoint": "http://{my-internal-domain}/connect/userinfo",
"end_session_endpoint": "http://{my-internal-domain}/connect/endsession",
"check_session_iframe": "http://{my-internal-domain}/connect/checksession",
"revocation_endpoint": "http://{my-internal-domain}/connect/revocation",
"introspection_endpoint": "http://{my-internal-domain}/connect/introspect",
"device_authorization_endpoint": "http://{my-internal-domain}/connect/deviceauthorization",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"scopes_supported": [
"openid",
"email",
"profile",
"xyz",
"offline_access"
],
"claims_supported": [
"sub",
"email",
"email_verified",
"name",
"family_name",
"given_name",
"middle_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"response_modes_supported": [
"form_post",
"query",
"fragment"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"request_parameter_supported": true
}
When I changed the StartUp.cs settings to the following:
var key = System.Text.Encoding.ASCII.GetBytes(xyzConfig.Secret);
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
//options.Authority = xyzConfig.Authority;
options.Audience = "xyz";
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false
};
});
Now I get 401 with the following message in the response header:
Bearer error="invalid_token", error_description="The signature key was not found"
This was pretty interesting as the token used here seems valid when parsed in jsonwebtoken.io:
{
"nbf": 1602077163,
"exp": 1602080774,
"iss": "http://{my-internal-domain}",
"aud": [
"http://{my-internal-domain}/resources",
"xyz"
],
"client_id": "789456",
"sub": "23de9244-86ba-4553-845f-1cbe6bac0536",
"auth_time": 1602077162,
"idp": "local",
"given_name": "gname",
"email": "email#white.com",
"scope": [
"openid",
"xyz"
],
"amr": [
"pwd"
],
"jti": "921552fd-da9b-49b0-98a6-c7c0dcb2d865",
"iat": 1602077174
}
That also comes with the Signing Key Verified so now I don't know which way should we go now and if anyways we can run the JWT authentication using AWS PrivateLink that uses their Network Load Balancer (NLB)
If any other info is required I'll be happy to provide here.
Any help is appreciated here, thanks!
I am trying to create a user with scim2 API in wso2 with my own extended claim
my API request
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"name": {
"familyName": "jackson",
"givenName": "kim"
},
"userName": "test3",
"password": "abc123",
"demoRole":"student",
"emails": [
{
"primary": true,
"value": "kim.jackson#gmail.com",
"type": "home"
},
{
"value": "kim_j#wso2.com",
"type": "work"
}
],
"roles":[
{
"value": "PRIMARY/manager"
}
]
}
and the configuration in scim2-schema-extension.config.xml is
{
"attributeURI":"urn:ietf:params:scim:schemas:core:2.0:User:demoRole",
"attributeName":"demoRole",
"dataType":"string",
"multiValued":"false",
"description":"The displayName of the User's manager.",
"required":"false",
"caseExact":"false",
"mutability":"readwrite",
"returned":"default",
"uniqueness":"none",
"subAttributes":"null",
"canonicalValues":[],
"referenceTypes":["external"]
},
my claim configuration is
Claim URI -> urn:ietf:params:scim:schemas:core:2.0:User:demoRole
Mapped Local Claim -> http://wso2.org/claims/demoRole
Attribute URI for your schema extension should be,
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:demoRole
So, External claim URI for urn:ietf:params:scim:schemas:extension:enterprise:2.0:User will be,
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:demoRole
SCIM2 create user request should contain the demoRole as,
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"demoRole":"student"}
For more details on the schema extension representation, refer the specification
How can we get the phone number with Google OAuth API login.
I am using scopes as
'scope' : 'https://mail.google.com https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.login '
and the request is as
var request = gapi.client.plus.people.get({'userId': 'me'});
Is there any scope we can use to get it.
I am getting response as with no sight of phone number :
{
"kind": "plus#person",
"etag": "\"vPymIyv1bT9LfmoUujkgN2yLMK0\"",
"gender": "male",
"emails": [
{
"value": "XXX#gmail.com",
"type": "account"
}
],
"urls": [
{
"value": "http://picasaweb.google.com/XXX",
"type": "otherProfile",
"label": "Picasa Web Albums"
}
],
"objectType": "person",
"id": "4354354334435465",
"displayName": "XXXXX YYYY",
"name": {
"familyName": "XXX",
"givenName": "YYYYY"
},
"url": "https://plus.google.com/1100335464643327",
"image": {
"url": "https://lh3.googleusercontent.com/-fgsdgfgU9-jU/AAAAAAAAAAI/AAAAAAAADkM/fgffdgdkM/photo.jpg?sz=50",
"isDefault": false
},
"isPlusUser": true,
"language": "en",
"ageRange": {
"min": 21
},
"circledByCount": 59,
"verified": false
}
if you want to get user phone numbers you have to have authorization from the user: see the following info page : https://developers.google.com/admin-sdk/directory/v1/guides/authorizing
ask the user for this scope of authorization :
https://www.googleapis.com/auth/admin.directory.user.readonly
after you have authorization from user run the folowing request :
GET https://www.googleapis.com/admin/directory/v1/users/userKey
the response will be a JSON response formatted as followed:
https://developers.google.com/admin-sdk/directory/v1/reference/users#resource
one of the attributes is phone list.
hope it helps.
You can use google's people API to get the user's phone numbers.
To explore more you can try yourself.
Steps to explore:
Visit this link.
Select https://www.googleapis.com/auth/user.phonenumbers.read permission in People API v1 section
Click on Authorize API
Choose the account to log in
Grant permission
Click Exchange authorization code for tokens
Enter https://people.googleapis.com/v1/people/138262720636785143353?personFields=phoneNumbers,emailAddresses link, make sure you replace the UID
Click on send request to see the response