Docs: authorization_services/topics/service-authorization-discovery-document.adoc - include grantType Token required for obtaining permissions for user in Documentation

[shalphaaslam]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authorization-services

Describe the bug

File: authorization_services/topics/service-authorization-discovery-document.adoc

Version

24.0.3

Regression

• The issue is a regression

Expected behavior

Obtaining permission for a user should work if I pass access token fetched from grantType password
curl -X POST
http://${host}:${port}/realms/${realm}/protocol/openid-connect/token
-H "Authorization: Bearer ${access_token}"
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
--data "audience={resource_server_client_id}"
--data "permission=Resource A#Scope A"
--data "permission=Resource B#Scope B"

Actual behavior

It fails as { "error": "invalid_grant", "error_description": "Invalid bearer token" } with exception in keycloak as permission_token_error like below
[org.keycloak.events] (executor-thread-11) type="PERMISSION_TOKEN_ERROR", realmId="3b897f33-1700-4ee8-9de8-2ae13f92d89c", clientId="account", userId="null", ipAddress="172.26.0.1", error="invalid_token", auth_method="oauth_credentials", grant_type="urn:ietf:params:oauth:grant-type:uma-ticket"
However, it worked if I pass access_token generated by standard_flow authentication grantType

How to Reproduce?

1. Create userProfile attribute in realm settings and enable uma in realm settings(verify that service_account tab has uma_protection)
2. Add value to the attribute for the user .
3. Ensure authorization enabled for the client(resource-server) and in Authorization tab, create resources ins1 with uma enabled
4. Create policy with the newly listed one that is deployed by us previously
5. Create permission for resourceType and policy created before and save
6. Ensure to add mapper for the user attribute “resourceType” created, so its reflected in user attributes(add in clientscope, under dedicated scope and by configuration, user attribute)
7. Now, evaluate the policy in evaluate tab- and it should permit or deny
8. Then try to obtain permission for the user passing access token fetched from grantType password

Anything else?

No response

[sguilhen]

Hi @shalphaaslam - not sure how the referenced doc can be updated in this case, as it only describes the authz service discovery document. It doesn't have any text mentioning how to use the token endpoint there.

[shalphaaslam]

Hi @sguilhen, yes as you said the document only mentions the authorization endpoint to use for fetching user permission. However, there is no mention of supported access token of grant type standard flow. But the document highlights the need of client credentials granttype access token for accessing permission APIs that creates, updates and deletes the resources in keycloak. Should we need to include the information of needing access token of standard Flow grant type for fetching RPT for better understanding?

[pedroigor]

I'm wondering what the bearer token looks like and how you obtained it before executing the urn:ietf:params:oauth:grant-type:uma-ticket.

We have usages of bearer tokens issued to public clients (authorization grant type) or to confidential clients (using resource owner or client credentials grant).

[sguilhen]

@shalphaaslam are you able to use the access token from the password grant to invoke other endpoints? Or does it fail only for the token endpoint? Also, are you by any chance using an external IDP to authenticate?

[keycloak-github-bot]

Thanks for reporting this issue, but there is insufficient information or lack of steps to reproduce.

Please provide additional details, otherwise this issue will be automatically closed within 14 days.

[shalphaaslam]

@sguilhen , I dont use external IDP to authenticate. access token from the password grant to invoke other endpoints works but fails when I try to fetch RPT for the user. I tried using authorization endpoints with the access token from the password grant but it failed. when I pass the access token from the authorization code flow, it worked.

[pedroigor]

@shalphaaslam Using the password grant should work too. If you can provide a reproducer, it should help to understand what is going on.

In theory, using the password grant or the code flow has no real difference as both flows are authenticating an end-user/resource owner.

[shalphaaslam]

To reproduce, I want to fetch RPT with below command
curl -X POST
http://172.26.0.1:8080/realms/master/protocol/openid-connect/token
-H "Authorization: Bearer [acces-token]"
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
--data "audience=account"

First passed access-token fetched using password granttype like below
curl -L -X POST 'http://localhost:8080/realms/master/protocol/openid-connect/token' -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=account' --data-urlencode 'grant_type=password' --data-urlencode 'client_secret=W5LvXT2tdHqzyjpKPGKMptHc91FPv' --data-urlencode 'scope=openid' --data-urlencode 'username=admin' --data-urlencode 'password=admin'
**response received - {"error":"invalid_grant","error_description":"Invalid bearer token"}**

secondly, passed access-token using auth code grant type fetched like:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
-d "grant_type=authorization_code"
-d "code=04e6dda7b.daca2d70-5938-4ff6-aefb-46f86a334aee"
-d "client_id=account"
-d "client_secret=W5LvXT2GKMptHc91FPv"
-d "redirect_uri=http://localhost:8000/callback"
"http://172.26.0.1:8080/realms/master/protocol/openid-connect/token"

**Response received: {"upgraded":false,"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI2WjRBQnBUa2ZmOTjw","expires_in":60,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNzQ4OGRiMS04Y2MzLTRiZmEtYjVmOC1lMDYzYjBiZjdiNzQifQ..-VYmY_N_tXUWCIKkq3dYJr_LGfQmLpvNe7bp7xRPitIIQFqliA-Lun75yiLjo7iXCbl8l6xhmeOw","token_type":"Bearer","not-before-policy":0}**
There is a open ticket to reproduce - #25191

[shalphaaslam]

Update: I also noticed invalid signature in the token fetched using authorization code flow grant type despite proper configuration in keycloak while decoding access token in jwt.io. I use postman to fetch token using authorization code flow grant type or make curl commands twice to fetch auth code first and then another command to fetch access token using the auth code received from previous command. Also, I use Curl to fetch access token for password grantType whose signature is valid when decoded but it fails the RPT request made to keycloak.

[shalphaaslam]

To help reproduce the issue: Here you can find my entire keycloak setup, js policy and realm configuration json file
https://github.com/shalphaaslam/python/tree/main/full-keycloak-setup