Determine from JWT generated by Keycloak if a user is authorized to access specific resource












2














Keycloak docs on OpenID Connect states that




The access token is digitally signed by the realm and contains access
information (like user role mappings) that the application can use to
determine what resources the user is allowed to access on the
application.




Is it possible to determine from the access token returned by Keycloak after authentication what resources a user is allowed to access?
Following the keycloak quickstart's instructions on Obtaining an OAuth2 Access Token, i get the following JWT (with not relevant fields ommitted) :



{

  "aud": "app-authz-springboot",

  "sub": "9c6c4a66-bb14-420f-a8af-3b2771266b38",

  "typ": "Bearer",

  "azp": "app-authz-springboot",

  "realm_access": {

    "roles": [

      "user"

    ]

  },

  "resource_access": {},

  "preferred_username": "alice"

}


There's an empty field




resource_access




Is there any way to fill it with the resources a user has access to? What's the specification of this field? Couldn't find it in JWT RFC or OpenID Connect Spec



I attempted another way that worked:




  1. Obtaining the access token using password credentials flow


  2. Exchanging the obtained token for rpt with slight
    modification adding response_mode argument:



    curl -v -X POST 
    
  http://localhost:8180/auth/realms/spring-boot-quickstart/protocol/openid-connect/token 
    
  -H "Authorization: Bearer "$access_token 
    
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" 
    
  --data "audience=app-authz-rest-springboot" 
    
  --data "permission=Default Resource"
    
  --data "response_mode=decision"



However this solution requires dispatching 2 requests to Keycloak to determine if a user is allowed a specific resource.






oauth-2.0 authorization jwt openid-connect keycloak







share|improve this question





























    2














    Keycloak docs on OpenID Connect states that




    The access token is digitally signed by the realm and contains access
    information (like user role mappings) that the application can use to
    determine what resources the user is allowed to access on the
    application    .




    Is it possible to determine from the access token returned by Keycloak after authentication what resources a user is allowed to access?
    Following the keycloak quickstart's instructions on Obtaining an OAuth2 Access Token, i get the following JWT (with not relevant fields ommitted) :



    {
    
  "aud": "app-authz-springboot",
    
  "sub": "9c6c4a66-bb14-420f-a8af-3b2771266b38",
    
  "typ": "Bearer",
    
  "azp": "app-authz-springboot",
    
  "realm_access": {
    
    "roles": [
    
      "user"
    
    ]
    
  },
    
  "resource_access": {},
    
  "preferred_username": "alice"
    
}


    There's an empty field




    resource_access




    Is there any way to fill it with the resources a user has access to? What's the specification of this field? Couldn't find it in JWT RFC or OpenID Connect Spec



    I attempted another way that worked:




    1. Obtaining the access token using password credentials flow


    2. Exchanging the obtained token for rpt with slight
      modification adding response_mode argument:



      curl -v -X POST 
      
  http://localhost:8180/auth/realms/spring-boot-quickstart/protocol/openid-connect/token 
      
  -H "Authorization: Bearer "$access_token 
      
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" 
      
  --data "audience=app-authz-rest-springboot" 
      
  --data "permission=Default Resource"
      
  --data "response_mode=decision"



    However this solution requires dispatching 2 requests to Keycloak to determine if a user is allowed a specific resource.






    oauth-2.0 authorization jwt openid-connect keycloak







    share|improve this question



























      2












      2








      2







      Keycloak docs on OpenID Connect states that




      The access token is digitally signed by the realm and contains access
      information (like user role mappings) that the application can use to
      determine what resources the user is allowed to access on the
      application      .




      Is it possible to determine from the access token returned by Keycloak after authentication what resources a user is allowed to access?
      Following the keycloak quickstart's instructions on Obtaining an OAuth2 Access Token, i get the following JWT (with not relevant fields ommitted) :



      {
      
  "aud": "app-authz-springboot",
      
  "sub": "9c6c4a66-bb14-420f-a8af-3b2771266b38",
      
  "typ": "Bearer",
      
  "azp": "app-authz-springboot",
      
  "realm_access": {
      
    "roles": [
      
      "user"
      
    ]
      
  },
      
  "resource_access": {},
      
  "preferred_username": "alice"
      
}


      There's an empty field




      resource_access




      Is there any way to fill it with the resources a user has access to? What's the specification of this field? Couldn't find it in JWT RFC or OpenID Connect Spec



      I attempted another way that worked:




      1. Obtaining the access token using password credentials flow


      2. Exchanging the obtained token for rpt with slight
        modification adding response_mode argument:



        curl -v -X POST 
        
  http://localhost:8180/auth/realms/spring-boot-quickstart/protocol/openid-connect/token 
        
  -H "Authorization: Bearer "$access_token 
        
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" 
        
  --data "audience=app-authz-rest-springboot" 
        
  --data "permission=Default Resource"
        
  --data "response_mode=decision"



      However this solution requires dispatching 2 requests to Keycloak to determine if a user is allowed a specific resource.






      oauth-2.0 authorization jwt openid-connect keycloak







      share|improve this question















      Keycloak docs on OpenID Connect states that




      The access token is digitally signed by the realm and contains access
      information (like user role mappings) that the application can use to
      determine what resources the user is allowed to access on the
      application      .




      Is it possible to determine from the access token returned by Keycloak after authentication what resources a user is allowed to access?
      Following the keycloak quickstart's instructions on Obtaining an OAuth2 Access Token, i get the following JWT (with not relevant fields ommitted) :



      {
      
  "aud": "app-authz-springboot",
      
  "sub": "9c6c4a66-bb14-420f-a8af-3b2771266b38",
      
  "typ": "Bearer",
      
  "azp": "app-authz-springboot",
      
  "realm_access": {
      
    "roles": [
      
      "user"
      
    ]
      
  },
      
  "resource_access": {},
      
  "preferred_username": "alice"
      
}


      There's an empty field




      resource_access




      Is there any way to fill it with the resources a user has access to? What's the specification of this field? Couldn't find it in JWT RFC or OpenID Connect Spec



      I attempted another way that worked:




      1. Obtaining the access token using password credentials flow


      2. Exchanging the obtained token for rpt with slight
        modification adding response_mode argument:



        curl -v -X POST 
        
  http://localhost:8180/auth/realms/spring-boot-quickstart/protocol/openid-connect/token 
        
  -H "Authorization: Bearer "$access_token 
        
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" 
        
  --data "audience=app-authz-rest-springboot" 
        
  --data "permission=Default Resource"
        
  --data "response_mode=decision"



      However this solution requires dispatching 2 requests to Keycloak to determine if a user is allowed a specific resource.






      oauth-2.0 authorization jwt openid-connect keycloak




      oauth-2.0 authorization jwt openid-connect keycloak






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 22 at 14:18









      Lukasz Stelmach

      4,20031828




      4,20031828










      asked Sep 26 at 10:04









      user1264304

      95562253




      95562253
























          1 Answer
          1






          active

          oldest

          votes


















          0














          Your usage scenario is not clear. The standard mechanism to control access to specific resources is roles and you do get them as a part of the token. So if you configure access to your endpoints using appropriate roles model and assign required roles to the corresponging users, it will control the access. Actually this is the way access to the /api/premium URL is managed in the SpringBoot example that you referencing in your question (compare access by alice vs jdoe).



          From your question as it is now, it is not clear why such approach doesn't work for you and why you want something else.






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f52515135%2fdetermine-from-jwt-generated-by-keycloak-if-a-user-is-authorized-to-access-speci%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Your usage scenario is not clear. The standard mechanism to control access to specific resources is roles and you do get them as a part of the token. So if you configure access to your endpoints using appropriate roles model and assign required roles to the corresponging users, it will control the access. Actually this is the way access to the /api/premium URL is managed in the SpringBoot example that you referencing in your question (compare access by alice vs jdoe).



            From your question as it is now, it is not clear why such approach doesn't work for you and why you want something else.






            share|improve this answer


























              0














              Your usage scenario is not clear. The standard mechanism to control access to specific resources is roles and you do get them as a part of the token. So if you configure access to your endpoints using appropriate roles model and assign required roles to the corresponging users, it will control the access. Actually this is the way access to the /api/premium URL is managed in the SpringBoot example that you referencing in your question (compare access by alice vs jdoe).



              From your question as it is now, it is not clear why such approach doesn't work for you and why you want something else.






              share|improve this answer
























                0












                0








                0






                Your usage scenario is not clear. The standard mechanism to control access to specific resources is roles and you do get them as a part of the token. So if you configure access to your endpoints using appropriate roles model and assign required roles to the corresponging users, it will control the access. Actually this is the way access to the /api/premium URL is managed in the SpringBoot example that you referencing in your question (compare access by alice vs jdoe).



                From your question as it is now, it is not clear why such approach doesn't work for you and why you want something else.






                share|improve this answer












                Your usage scenario is not clear. The standard mechanism to control access to specific resources is roles and you do get them as a part of the token. So if you configure access to your endpoints using appropriate roles model and assign required roles to the corresponging users, it will control the access. Actually this is the way access to the /api/premium URL is managed in the SpringBoot example that you referencing in your question (compare access by alice vs jdoe).



                From your question as it is now, it is not clear why such approach doesn't work for you and why you want something else.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 22 at 21:02









                SergGr

                19k22243




                19k22243






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f52515135%2fdetermine-from-jwt-generated-by-keycloak-if-a-user-is-authorized-to-access-speci%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Trompette piccolo

                    Image
                    Ne doit pas être confondu avec trompette de poche. Trompette piccolo en si bémol, avec des branches d'embouchure différentes pour le si bémol (la plus courte) ou la (la plus longue) Trompette piccolo La trompette piccolo est la plus petite de la famille des trompettes. Elle joue une octave plus haut que la trompette standard en si bémol. La plupart des trompettes piccolo sont conçues pour jouer dans les deux tonalités de si bémol ou la, en utilisant une branche d'embouchure différente pour chaque tonalité. Le tube de la trompette piccolo en si bémol a une longueur moitié de celle de la trompette normale en si bémol. Des trompettes piccolo en sol, fa, ut sont également fabriquées, mais elles sont rares. La trompette soprano en ré, aussi connu comme la « trompette Bach », a été inventée vers 1890 par le facteur belge Victor-Charles Mahillon pour jouer les parties hautes de la trompette dans la musique de Bach et Haendel. La trompette piccolo moderne permet aux
                    Read more

                    Slow SSRS Report in dynamic grouping and multiple parameters

                    Image
                    0 I have developed a report which has 5 dynamic row groups from where users can choose in parameter selection. The report has 12 parameters so that user can get required information as per their parameter choice. Each parameter has multi value selection option with numerous lists of values (example: Customer parameter has 35,000 values and Item parameter has 2,500 values). Now, the report takes huge time to load parameter values as well as slow in preview (although, server resource is adequate). I am looking for a solution to improve the parameter selection performance without reducing the number of parameter and dynamic grouping sql-server reporting-services ssrs-2012 share | improve this question
                    Read more

                    Simon Yates (cyclisme)

                    Image
                    Pour les articles homonymes, voir Simon Yates et Yates. Simon Yates.mw-parser-output .entete.cyclisme{background-image:url("//upload.wikimedia.org/wikipedia/commons/thumb/8/86/Cycling_%28road%29_pictogram.svg/45px-Cycling_%28road%29_pictogram.svg.png")} Simon Yates lors du Tour d'Alberta 2014 Informations Naissance 7 août 1992 (26 ans) Bury Nationalité Britannique Équipe actuelle Mitchelton-Scott Spécialités Grimpeur, cyclisme sur piste Équipes amateurs 2013 100% Me Équipes professionnelles 01.2014-06.2016 [ n 1 ] Orica-GreenEDGE 07.2016-12.2016 [ n 2 ] Orica-BikeExchange 2017 Orica-Scott 2018- Mitchelton-Scott Principales victoires 1 classement mondial UCI World Tour 2018 1 titre mondial Champion du monde de course aux points (2013) 1 grand tour Tour d'Espagne 2018 2 classements annexes de grands tours Classement du meilleur jeune Tour de France 2017 Classement du combiné Tour d'
                    Read more