search

ging / fiware-idm

OAuth 2.0-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.
https://keyrock-fiware.github.io
MIT License
37 stars 81 forks source link

Keyrock 8.4.0 unable to support Authzforce #340

Closed jason-fox closed 1 year ago

jason-fox commented 1 year ago

Regression issue discovered by @sarraKs

Running Keyrock in advanced PDP mode with Authzforce:

- IDM_PDP_LEVEL=advanced
- IDM_AUTHZFORCE_ENABLED=true
- IDM_AUTHZFORCE_HOST=authzforce
- IDM_AUTHZFORCE_PORT=8080

I log into an application as a Keyrock user e.g.:

 curl -X POST \
  http://keyrock/oauth2/token \                                                                                                          
  -H 'Accept: application/json' \
  -H 'Authorization: Basic dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA==' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'username=bob-the-manager@test.com&password=test&grant_type=password'

I then wish to obtain the location of authzforce by requesting:

curl -X GET \ 
  'http://keyrock/user?access_token={{access_token}}&app_id={{app_id}}&authzforce=true'

for example:

curl -X GET \ 
  'http://lkeyrock/user?access_token=af40e1642c5270898c7460f018b830e761e02521&app_id=tutorial-dckr-site-0000-xpresswebapp&authzforce=true'

With KEYROCK_VERSION=8.3.0 I obtain:

{
  "organizations": [],
  "displayName": "",
  "roles": [
    {
      "id": "managers-role-0000-0000-000000000000",
      "name": "Management"
    }
  ],
  "app_id": "tutorial-dckr-site-0000-xpresswebapp",
  "trusted_apps": [],
  "isGravatarEnabled": "",
  "id": "bbbbbbbb-good-0000-0000-000000000000",
  "authorization_decision": "",
  "app_azf_domain": "gQqnLOnIEeiBFQJCrBIBDA",
  "eidas_profile": {},
  "attributes": {},
  "shared_attributes": "",
  "username": "bob",
  "email": "bob-the-manager@test.com",
  "given_name": "bob",
  "family_name": "bob",
  "image": "",
  "gravatar": "",
  "extra": {
    "visible_attributes": [
      "username",
      "description",
      "identity_attributes"
    ]
  },
  "sub": "bbbbbbbb-good-0000-0000-000000000000"
}

With KEYROCK_VERSION=8.4.0 I obtain:

{"message":"Cannot handle 2 authentications levels at the same time","code":400,"title":"Bad Request"}

Diagnosis

The error is thrown by this line which was amended in commit f58e4872 as shown:

+  if (options.authzforce && (options.action || options.resource || options.service_header || options.credential)) {
-  if (options.authzforce && (options.action || options.resource || options.service_header || options.access_token)) {

For Authzforce advanced authorization it is legitimate for the request to hold both an access_token and authzforce=true