search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
23.77k stars 6.82k forks source link

Transient Users Can't Fetch Policy Roles #33113

Open Joeydelarago opened 2 months ago

Joeydelarago commented 2 months ago

Before reporting an issue

Area

authorization-services

Describe the bug

I have a Keycloak realm with an OICD client that issues a token without roles included. I have another OIDC client which is a confidential client that does authorisation. I use "Fetch Roles" in the policy to get the roles instead of using the roles in the token. Authorisation works fine with a user from this realm.

I add an identity provider with transient users enabled (Do not store users). I hardcode roles on all users from this identity provider. Now the roles of the users from this identity provider and my realm match, and I expect that authorization will be the same for both. However the transient user always fails to authorise.

I thought that Fetch roles would resolve the roles from the user sessions, but maybe I am mistaken?

Version

25.0.4

Regression

Expected behavior

Fetch roles for policies fetches roles for transient users from the session and authorisation is successful

Actual behavior

Authorisation always fails with a transient user

How to Reproduce?

  1. Create a realm with a client that creates tokens without roles included, non confidential webapp-client.
  2. Add a confidential client api-client.
  3. Add a client role "TestRole"
  4. In api-client add a resource "TestResource", scope "edit", policy "TestPolicy" with Fetch roles enabled and using TestRole. Add a permission "TestPermission" with the "TestPolicy" and "edit" scope. 5.Add a second realm
  5. Create a user "Test" in this realm
  6. Create a client in this realm to use in the first realm.
  7. In the first realm add the second realm as an idp and set "Do not store users" true.
  8. Get a token from webapp-client using the "Test" user
  9. Try to authorise acess to TestResource with edit scope.

Anything else?

No response

pedroigor commented 2 months ago

@Joeydelarago We don't have transient users integrated with authorization services yet. We should work on this before making the feature supported.

keycloak-github-bot[bot] commented 2 months ago

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a :thumbsup: to the description. We would also welcome a contribution to fix the issue.