Setting authorization resource owner does not work or fails #589
Comments
|
Hi, a complete realm json that include the steps to reproduce the issue would help here a lot.
By define |
|
This is with a clean docker image of keycloak, configured to use a postgres db (also docker image). First run of keycloak-config-cli, after waiting for keycloak to start. Minimal realm json: {
"id": "test",
"realm": "test",
"enabled": true,
"users": [
{
"username": "testuser",
"enabled": true,
"totp": false,
"emailVerified": true,
"credentials": [
{
"type": "password",
"value": "test"
}
]
}
],
"clients": [
{
"clientId": "test-client",
"name": "test-client",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"authorizationServicesEnabled": true,
"serviceAccountsEnabled": true,
"redirectUris": [
"*"
],
"webOrigins": [
"*"
],
"authorizationSettings": {
"allowRemoteResourceManagement": true,
"decisionStrategy": "AFFIRMATIVE",
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "testresource",
"displayName": "testresource",
"type": "urn:test-client:resources:test",
"ownerManagedAccess": false,
"owner": {
"name": "testuser"
},
"uri": "/*"
}
],
"policies": []
}
}
]
}Outgoing request is: {"name":"testresource","type":"urn:test-client:resources:test","owner":{"id":null,"name":"testuser"},"ownerManagedAccess":false,"displayName":"testresource","attributes":null,"_id":null,"uris":["/*"],"icon_uri":null}Response: {"error":"invalid_request","error_description":"You must specify the resource owner."}The user is definitly created before that so it does not seem to be related to an ordering issue. Interestingly, when i create the resource without an owner via keycloak-config-cli, and then set the owner with the id: {"name":"testresource","type":"urn:test-client:resources:test","owner":{"id":"a8bdb0f6-9080-4830-b844-fcaf6a0d9464","name":null},"ownerManagedAccess":false,"displayName":"testresource","attributes":null,"_id":null,"uris":["/*"],"icon_uri":null}I get an 500 from Keycloak with Exception in the logs Seems unrelated to keycloak-config-cli though. |
Keycloak is expecting an id here. But keycloak allows to define the username as id here, too:
Keycloak set an owner, if none is defined.
Feels strange. The error occurs only if there is no matching user. Changing the owner.name to owner.id works here But keycloak-config-cli will always update this resource since keycloak would always report the id of the user instead of the username. This may only happens, if the import json has been changed. |
|
It looks like Keycloak excepts the username of an owner inside the id field instead of the name field. But if the resource is GET through the API, then the username is inside the owner.name field instead owner.id field. Looks like an inconstancy here. I added a patch which set the username as id before sending the REST call to keycloak. #590 |
|
@HendrikJanssen in case the error still exists, just reach me out here. The PR title is a little bit misleading here. For Keycloak, only the id of the owner property matters. If id is null and name is set, keycloak config cli will copy the value from name to id. |
|
Thank you very much, that was pretty fast! A quick question though: Which image should I use to test the PR changes? Is |
|
Nevermind, it's documented clearly in the readme, I'm sorry 😄 |
Current Behavior
When I want to set the owner of a resource, keycloak-config-cli either fails to create the resource (400 Bad request) is returned, or the owner is not set when updating the resource.
Expected Behavior
The resource owner should be set accordingly.
Steps To Reproduce
Environment
Im using the docker hub image version of keycloak-config-cli
Anything else?
I am not sure what happens here since the request body is not printed out sadly. I do know that setting a resource owner is pretty finicky via the admin CLI. If this is a missing feature and not a bug I would gladly support with an PR, but maybe this is supposed to work, so Im opening an Issue first.
The text was updated successfully, but these errors were encountered: