I want a custom scope called avm.read to be inclued in the scopes of the access token when requesting it.
I have an ApiResource called compApi and an ApiResourceScope called avm.read.
I've also added an ApiScope avm.read and added the avm.read to the ClientScopes.
When requesting the token, I'm also requesting the following scopes:
openid
profile
email
avm.read
After retrieving the token and deserializing it with jwt.io, I only see the openid in the scopes array:
"scope": [
"openid"
],
What do I have to do in addition to what I already did so that the avm.read custom scope is also included in the scope array of the token?
Thanks in advance
Related
what I am trying to do:
I have an app that takes in login credentials: username and password for a user. I have a rest api that internally calls the keycloak REST API: /auth/realms/realmname/protocol/openid-connect/token
and gets the access token for this user.
Now I am building another REST API to access a resource where I want to do the following:
doSomething(accesstoken, data)
{
a) call keycloak API to validate access token and get roles.
b) if role == manager, process(data)
c) else: return error msg.
}
Now, how do I do (a): validating the access token and getting the roles associated with it.
I know we can do: auth/realms/realmname/protocol/openid-connect/userinfo
but that only gives the details about the user like name, email, etc. but does not display any roles.
Here's an example I got:
{
"name": "test user",
"sub": "e2bad34d-a1a9-4d70-ac84-bd3a3246023e",
"email_verified": false,
"preferred_username": "user",
"given_name": "test",
"family_name": "user"
}
As seen, it doesnt give the roles at all. How do I then tell what roles this access token has? Interestingly, when I search for this, many resources are suggesting the above userinfo endpoint. But this merely tells me taht the access token I provided is valid. Does not give roles for that.
In other words - it authenticates but does not authorize.
Please suggest.
Thanks,
Anand
In Keycloak admin Console, you can configure Mappers under your client. Add a builtin Mapper of type "User Realm Role", then open its configuration e.g. change Token Claim Name if you want.
Client roles can be configured similarly, but they are returned by default in the token under the name resource_access.${client_id}.roles
The the client side you can parse the token to find the roles. E.g. In an angular application and using the keycloak-angular adapter, you can have a the token as a json object by calling keycloak.getKeycloakInstance().tokenParsed.
In a spring boot application and using the Keycloak java api, you can find the roles under the field "otherClaim" in the following class
https://www.keycloak.org/docs-api/10.0/javadocs/org/keycloak/representations/AccessTokenResponse.html
In both representations you will find the roles under the "Token Claim Name" defined in the client mapper configuration
Additionally, if the full scope is not allowed then you need to add the relevant roles to the scope, so they can appear in the token.
After adding role in the roles section , need to move available roles into the Assigned Roles of the scope tab of the respective client section.
I am using App ID as an Identity Provider and Authorization Server to protect some back-end spring-boot applications.
I have managed to set up the whole OAuth 2.0 Authorization Code flow to work but cannot manage to include custom scopes into the access token.
The only scopes that appear in the access token are the App ID default ones:
"openid appid_default appid_readuserattr appid_readprofile appid_writeuserattr appid_authenticated"
I have configured an appropriate role with the desired custom scopes and associated this role to the user profile. Furthermore I have associated these custom scopes to the client application. Everything seems fine in the App ID dashboard.
However when I call the token endpoint either programmatically or via curl I always get the same default scopes in the access token.
Reading the Swagger , I should be able to specify the scopes for the password flow and bearer token but I am in an OAuth 2.0 Authorization Code flow. Furthermore, even with password credentials flow, I do not manage to get these custom scopes although I specify them in the request.
Has anyone encountered these problems?
Any help would be much appreciated.
Many Thanks,
Chris
In order to see the application configured scopes in the token, you need to authenticate with the application that you configured scopes to and with the user you assigned the role to.
Meaning you should use username : client ID and password : secret of the application in the request authorization header, and authenticate with the user you assigned the matching role (which contains the scopes wanted).
The steps to add access control to your application:
Go to Applications and define the application that you want to protect by adding scopes.
Create your roles by going to Roles and profiles > Roles > Create role.
Assign the roles to specific users by going to Roles and profiles >
User profiles. Then, choose the user that you want to assign the
role to and click the More options menu > Assign role.
For more information see AppID Access control docs: https://cloud.ibm.com/docs/services/appid?topic=appid-access-control
I have an App ID instance in us-south, and scopes are working fine for me with default Cloud Directory.
create a new application (define your scopes)
create a role and associate your application scope
assign the role to a user
call /token endpoint
It happened to me before, I found that one way to solve it would be to inject the roles into the token claim and then instruct Spring Security to extract them. I wrote about it here in detail. The documentation explains the first part, but the gist is this cURL snippet :
curl -X PUT "https://$REGION.appid.cloud.ibm.com/management/v4/$TENANT_ID/config/tokens" -H 'Content-Type: application/json' -H "Authorization: Bearer $IAM_TOKEN" -d '{
"access": {
"expires_in": 3600
},
"refresh": {
"enabled": true,
"expires_in": 2592001
},
"anonymousAccess": {
"enabled": false
},
"accessTokenClaims": [
{
"source": "roles"
}
],
"idTokenClaims": [
{
"source": "saml",
"sourceClaim": "attributes.uid"
}
]
}'
You can also do it in the Swagger UI. Note however that this is a PUT request, so it's going to overwrite any configuration you had beforehand. Ideally, run a GET request to get the current configuration, then add the claims into it to avoid issues.
Then, in the SecurityConfiguration, add this JWT converter :
protected void configure(HttpSecurity http) throws Exception {
http
//...
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter());
}
Converter jwtAuthenticationConverter() {
JwtGrantedAuthoritiesConverter converter = new JwtGrantedAuthoritiesConverter();
converter.setAuthoritiesClaimName("authorities");
converter.setAuthorityPrefix(""); //so that the role has the same name as the one that comes from App ID
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(converter);
return jwtAuthenticationConverter;
}
Now that Spring Security recognizes the roles, you can protect endpoints with annotations or with an antMatcher configuration :
.antMatchers("/api/admin").hasRole("ADMIN")
I am using Ruby on Rails 5.2 and gems: ruby-trello, devise, omniauth-trello.
I want to make authorized requests on behalf of Trello user same as shows here: https://github.com/jeremytregunna/ruby-trello#multiple-users
Example from git docs:
#client_bob = Trello::Client.new(
:consumer_key => YOUR_CONSUMER_KEY,
:consumer_secret => YOUR_CONSUMER_SECRET,
:oauth_token => "Bob's access token",
:oauth_token_secret => "Bob's access secret"
)
My steps:
User (Bob) sign in with Trello and get his own oauth_secret and oauth_token
App creates a Trello::Client for Bob using:
his own oauth data (:oauth_token, :oauth_token_secret)
I got consumer_key from here: https://trello.com/app-key (in the top of page, first block with key field)
consumer_secret was taken from https://trello.com/app-key too, but from the bottom of page, last block with key secret
After this, I'm trying to get any data from Bob's trello account (boards, lists, tasks etc.) but always getting 500 error (invalid token).
Could you explain what I'm doing wrong?
Thank you in advance.
What I did was implementing a session controller to request and authorize access to user's trello and then call Trello::Client with the authorization params inside the callback method on the controller.
Check out this:Trello OAuth 1.0 authorization with Ruby
Then inside the authorization method you can call Trello::Client using :oauth_token and :oauth_token_secret from get_access_token call or store them both on the session object and use them anywhere.
I am wanting to use Keycloak to authorise access for my API.
I have got the relevant scopes defined, and these are coming back in the access token as expected:
{
... claims ...
"scope": "openid profile user/Patient.write user/Patient.read",
... etc ...
}
but the server hosting the APIs expects scopes in an access token represented as an array, like this:
{
... claims ...
"scope": [
"openid",
"profile",
"user/Patient.read",
"user/Patient.write"
],
...etc...
}
I can't see anywhere in Keycloak where I could alter the behaviour to output scopes as an array?
I've looked at doing it using a custom token mapper script, but the scopes don't appear to be available in mapper scripts, so it doesn't look like I can re-map them that way. Is there any way of getting the scopes into this form in the token in Keycloak?
I am trying to get a user venue history from foursquare. I know first of all a user should access to my application. I am using OAuth2 gem. How can I get client_id of the user?
cli = OAuth2::Client.new('CLIENT_ID', :authorize_url => "/oauth2/authorize", :token_url => "/oauth2/access_token", :site => 'https://foursquare.com')
ok, I am just editing my question. I understood why client_id has to be used (thanks to Martin and umesh awasthi). I am asking about why I can't get token of a user? my whole code is;
cli = OAuth2::Client.new(client_id, client_secret, :authorize_url => "/oauth2/authorize", :token_url => "/oauth2/access_token", :site => 'https://foursquare.com')
cli.auth_code.authorize_url(:redirect_uri => "http://localhost:3000")
token = cli.auth_code.get_token('authorization_code_value', :redirect_uri => "http://localhost:3000/person/index")
response = token.get('api/resource', :params => {'query_foo' => 'bar'})
response.class.name
See the answer of Martin client id is a unique id associated with your application.All OAuth service provider need this client id to identity yourself.
I suggest you to first go through some basic understanding of OAuth as this protocol work on 2 major things
1. Client_id: this is a unique id assigned to your application you
create on any Oauth service provider or when you register you application.
2. Secret_key:This is another part of Oauth communication which use to
Authenticate the consumer i.e you application.
Though some Oauth system like Google provides Anonymous calling but that never being encouraged at all.
So whatever OAuth service you are using, you need to register your application with them and get client_key and secret which should be the part of every communication you making with OAuth
here is the quick steps taken from forsquare website
Redirect users who wish to authenticate to
https://foursquare.com/oauth2/authenticate
?client_id=YOUR_CLIENT_ID
&response_type=code
&redirect_uri=YOUR_REGISTERED_REDIRECT_URI
If a user accepts, they will be redirected back to
https://YOUR_REGISTERED_REDIRECT_URI/?code=CODE
once user authorize you OAuth will redirect back with the code which you need to pass them again to get access token
Your server will make a request for
https://foursquare.com/oauth2/access_token
?client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&grant_type=authorization_code
&redirect_uri=YOUR_REGISTERED_REDIRECT_URI
&code=CODE
The response will be JSON
{ access_token: ACCESS_TOKEN }
Save this access token for this user in your database.Hope this swill help you
The client_id is the client_id for your application, which you get when you register an app here. It is not associated with a particular user, but with your application.