ging / fiware-idm

OAuth 2.0-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.
https://keyrock-fiware.github.io
MIT License
36 stars 80 forks source link

Keyrock IDM: 7.9.2 Successful requests when authorization_decision: Deny #260

Open tazchalmers opened 2 years ago

tazchalmers commented 2 years ago

When authorization_decision is deny for resource, an API request still successfully returns results.

Steps to reproduce:

1 Generate authorization key:

$ echo -n 59b...e90:131...51c | base64 -w 0
NTli...Yw==

2 In the Keyrock frontend, create "User" role and add user@email.com to it. Deliberately do not grant any permissions to the "User" role at this stage.

3 Generate access token:

$ curl -X POST 'http://localhost:3005/oauth2/token' -H 'Accept: application/json' -H 'Authorization: Basic NTli...Yw==' -H 'Content-Type: application/x-www-form-urlencoded' --data "username=user@email.com&password=password&grant_type=password"
{"access_token":"080...495","token_type":"bearer","expires_in":3599,"refresh_token":"ee8...1a3","scope":["bearer"]}

4 Verify authorization_decision is "Deny" for /v2/subscription which has not been granted as a permission for the "User" role:

$ curl 'http://localhost:3005/user?access_token=080...495&action=GET&resource=/v2/subscriptions/&app_id=59b-4...b-950'
{"organizations":[],"displayName":"","roles":[{"id":"606...65f","name":"User"}],"app_id":"59b...e90","trusted_apps":[],"isGravatarEnabled":"","id":"174...0bf","authorization_decision":"Deny","app_azf_domain":"","eidas_profile":{},"attributes":{},"shared_attributes":"","username":"username","email":"user@email.com","image":"","gravatar":"","extra":""}

5 Successfully get list of subscriptions:

$ curl -i --insecure -X GET https://localhost/v2/subscriptions/ -H 'X-Auth-token: 080...495'
HTTP/2 200

The IDM log:

Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller  --> authenticate_token
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller  --> authenticate_jwt
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller Error JsonWebTokenError: jwt malformed
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller  --> authenticate_bearer
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server -------getAccesToken-------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server -------create_oauth_response-------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server -------search_user_info-------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server -------trusted_applications-------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server -------user_roles-------

As per the previous issue I submitted, I cannot get versions 8+ to work so have to stay on this version for now.