search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
23.35k stars 6.76k forks source link

Authorization Resources with dynamic URI and querystring return the incorrect response #28772

Open dwalker-sabiogroup opened 6 months ago

dwalker-sabiogroup commented 6 months ago

Before reporting an issue

Area

authorization-services

Describe the bug

When configuring resource authorization for an OIDC client using lazy-load-paths and http-method-as-scope URIs containing dynamic patterns and a querystring fail to evaluate correctly

Client > Authorization > Resource configured as below

Setting Value
Authorization scopes GET
URIs /api/v1/admin/projects/{project}/parameters?*

Version

24.0.2

Regression

Expected behavior

When making a GET request to api/v1/admin/projects/1/parameters?page=1&pageSize=10 a 200 response is returned

Actual behavior

When making a GET request to api/v1/admin/projects/1/parameters?page=1&pageSize=10 a 403 response is returned

How to Reproduce?

  1. Create an OpenID client and enable authorization
  2. Create a Authorization resource with a URI contain a pattern and a querystring pattern e,g, api/{id}?{query}
  3. Resource Evaluation should be PERMIT not DENY

Anything else?

Testing the following Resource URIs with a request to URL api/v1/admin/projects/1/parameters?page=1&pageSize=10

Resource URI HTTP Response
api/v1/admin/projects/1/parameters?page=1&pageSize=10 200
api/v1/admin/projects/{id}/parameters?page=1&pageSize=10 200
api/v1/admin/projects/1/parameters?{query} 200
api/v1/admin/projects/{id}/parameters?{query} 403

Issue only occurs when a URI contains a querystring and a dynamic pattern before and after the ? delimiter, The same behaviour is observed when the dynamic pattern is in the form {...} or *

For context our environment is using apisix with the authz-keycloak plugin for authorization. The plugin configuration is below and is working correctly for all other authorization

  access_token_in_authorization_header: true
  bearer_only: true
  client_id: ***
  client_secret: ***
  discovery: https://keycloak.keycloak.svc.cluster.local/realms/***/.well-known/uma2-configuration
  introspection_endpoint_auth_method: client_secret_post
  realm: ***                
  scope: openid profile roles
  session:
    secret: ***

The same issue has been reported in https://github.com/keycloak/keycloak/discussions/22184

pedroigor commented 6 months ago

Just to confirm, the format you want to use is api/v1/admin/projects/{id}/parameters?{query} where you have multiple patterns in the UI?

I'll work on it.

keycloak-github-bot[bot] commented 6 months ago

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a :thumbsup: to the description. We would also welcome a contribution to fix the issue.

dwalker-sabiogroup commented 6 months ago

@pedroigor - We would expect to be able to use placeholders after a query string (either {name} or *) and work the same as in the URI preceding the query string e.g.

api/v1/user/{user_id}/project/{project_id}/issues?page={page_no}&page_size=*

Would match

api/v1/user/1/project/10/issues?page=1&page_size=10&status=open

luisfagottani commented 4 months ago

Hello, guys. I have an application that need this feature as well.