Details
-
Type: extRequest
-
Status: Closed
-
Priority: Major
-
Resolution: Dismissed
-
Fix Version/s: None
-
Component/s: FIWARE-TECH-HELP
-
Labels:None
Description
Hi
I am having all sorts of issues with several versions of Keyrock IDM.
Version 7.9.2:
Issue: When authorization_decision is deny for resource, sending an API request still successfully returns results.
Steps to reproduce
1 Generate authorization key:
$ echo -n 59b...e90:131...51c | base64 -w 0
NTli...Yw==
2 In the Keyrock frontend, create "User" role and add user@email.com to it. Deliberately do not grant any permissions to the "User" role.
3 Generate access token:
$ curl -X POST 'http://localhost:3005/oauth2/token' -H 'Accept: application/json' -H 'Authorization: Basic NTli...Yw==' -H 'Content-Type: application/x-www-form-urlencoded' --data "username=user@email.com&password=password&grant_type=password"
{"access_token":"080...495","token_type":"bearer","expires_in":3599,"refresh_token":"ee8...1a3","scope":["bearer"]}4 Verify authorization_decision is "Deny" for /v2/subscription which has not been granted as a permission for the "User" role:
$ curl 'http://localhost:3005/user?access_token=080...495&action=GET&resource=/v2/subscriptions/&app_id=59b-4...b-950'
{"organizations":[],"displayName":"","roles":[
{"id":"606...65f","name":"User"}],"app_id":"59b...e90","trusted_apps":[],"isGravatarEnabled":"","id":"174...0bf","authorization_decision":"Deny","app_azf_domain":"","eidas_profile":{},"attributes":{},"shared_attributes":"","username":"username","email":"user@email.com","image":"","gravatar":"","extra":""}
4 Successfully get list of subscriptions:
$ curl -i --insecure -X GET https://localhost/v2/subscriptions/ -H 'X-Auth-token: 080...495'
HTTP/2 200
The IDM log shows:
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller --> authenticate_token
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller --> authenticate_jwt
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller Error JsonWebTokenError: jwt malformed
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller --> authenticate_bearer
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server ------getAccesToken------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server ------create_oauth_response------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server ------search_user_info------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server ------trusted_applications------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server ------user_roles------
I tried upgrading to 8.1.0 but get an error when trying to generate an access token - which I also got when rolling back to 8.0.0:
$ curl -X POST 'http://localhost:3005/oauth2/token' -H 'Accept: application/json' -H 'Authorization: Basic NTli...Yw==' -H 'Content-Type: application/x-www-form-urlencoded' --data "username=user@email.com&password=password&grant_type=password"
"Cannot read property 'includes' of undefined"
The IDM log shows:
fiware-keyrock-1 | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth_controller --> token
fiware-keyrock-1 | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth_controller
fiware-keyrock-1 | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server ------getClient------
fiware-keyrock-1 | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server ------getIdentity------
fiware-keyrock-1 | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server 59b...e90
fiware-keyrock-1 | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server ------validateScope------
fiware-keyrock-1 | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server ------saveToken------
fiware-keyrock-1 | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server ------storeToken------
fiware-keyrock-1 | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server saveToken - Err: DatabaseError [SequelizeDatabaseError]: Unknown column 'hash' in 'field list'
fiware-keyrock-1 | at Query.formatError (/opt/fiware-idm/node_modules/sequelize/lib/dialects/mysql/query.js:247:16)
fiware-keyrock-1 | at Query.handler [as onResult] (/opt/fiware-idm/node_modules/sequelize/lib/dialects/mysql/query.js:68:23)
fiware-keyrock-1 | at Query.execute (/opt/fiware-idm/node_modules/mysql2/lib/commands/command.js:30:14)
fiware-keyrock-1 | at Connection.handlePacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:408:32)
fiware-keyrock-1 | at PacketParser.onPacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:70:12)
fiware-keyrock-1 | at PacketParser.executeStart (/opt/fiware-idm/node_modules/mysql2/lib/packet_parser.js:75:16)
fiware-keyrock-1 | at Socket.<anonymous> (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:77:25)
fiware-keyrock-1 | at Socket.emit (events.js:314:20)
fiware-keyrock-1 | at addChunk (_stream_readable.js:297:12)
fiware-keyrock-1 | at readableAddChunk (_stream_readable.js:272:9)
fiware-keyrock-1 | at Socket.Readable.push (_stream_readable.js:213:10)
fiware-keyrock-1 | at TCP.onStreamRead (internal/stream_base_commons.js:188:23) {
fiware-keyrock-1 | parent: Error: Unknown column 'hash' in 'field list'
fiware-keyrock-1 | at Packet.asError (/opt/fiware-idm/node_modules/mysql2/lib/packets/packet.js:708:17)
fiware-keyrock-1 | at Query.execute (/opt/fiware-idm/node_modules/mysql2/lib/commands/command.js:28:26)
fiware-keyrock-1 | at Connection.handlePacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:408:32)
fiware-keyrock-1 | at PacketParser.onPacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:70:12)
fiware-keyrock-1 | at PacketParser.executeStart (/opt/fiware-idm/node_modules/mysql2/lib/packet_parser.js:75:16)
fiware-keyrock-1 | at Socket.<anonymous> (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:77:25)
fiware-keyrock-1 | at Socket.emit (events.js:314:20)
fiware-keyrock-1 | at addChunk (_stream_readable.js:297:12)
fiware-keyrock-1 | at readableAddChunk (_stream_readable.js:272:9)
fiware-keyrock-1 | at Socket.Readable.push (_stream_readable.js:213:10)
fiware-keyrock-1 | at TCP.onStreamRead (internal/stream_base_commons.js:188:23)
,
fiware-keyrock-1 | original: Error: Unknown column 'hash' in 'field list'
fiware-keyrock-1 | at Packet.asError (/opt/fiware-idm/node_modules/mysql2/lib/packets/packet.js:708:17)
fiware-keyrock-1 | at Query.execute (/opt/fiware-idm/node_modules/mysql2/lib/commands/command.js:28:26)
fiware-keyrock-1 | at Connection.handlePacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:408:32)
fiware-keyrock-1 | at PacketParser.onPacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:70:12)
fiware-keyrock-1 | at PacketParser.executeStart (/opt/fiware-idm/node_modules/mysql2/lib/packet_parser.js:75:16)
fiware-keyrock-1 | at Socket.<anonymous> (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:77:25)
fiware-keyrock-1 | at Socket.emit (events.js:314:20)
fiware-keyrock-1 | at addChunk (_stream_readable.js:297:12)
fiware-keyrock-1 | at readableAddChunk (_stream_readable.js:272:9)
fiware-keyrock-1 | at Socket.Readable.push (_stream_readable.js:213:10)
fiware-keyrock-1 | at TCP.onStreamRead (internal/stream_base_commons.js:188:23)
,
fiware-keyrock-1 | sql: "INSERT INTO `oauth_access_token` (`hash`,`access_token`,`expires`,`scope`,`valid`,`oauth_client_id`,`user_id`,`iot_id`,`refresh_token`,`authorization_code`) VALUES ('efb...1f2','986...b89','2021-11-11 10:22:44','bearer',true,'59b...e90','174...0bf',NULL,'b88...4a4',NULL);"
fiware-keyrock-1 | }
fiware-keyrock-1 | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth_controller Error server_error: Cannot read property 'includes' of undefined
fiware-keyrock-1 | at new ServerError (/opt/fiware-idm/node_modules/oauth2-server/lib/errors/server-error.js:25:14)
fiware-keyrock-1 | at TokenHandler.<anonymous> (/opt/fiware-idm/node_modules/oauth2-server/lib/handlers/token-handler.js:107:13)
fiware-keyrock-1 | at TokenHandler.tryCatcher (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/util.js:16:23)
fiware-keyrock-1 | at Promise._settlePromiseFromHandler (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:512:31)
fiware-keyrock-1 | at Promise._settlePromise (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:569:18)
fiware-keyrock-1 | at Promise._settlePromise0 (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:614:10)
fiware-keyrock-1 | at Promise._settlePromises (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:689:18)
fiware-keyrock-1 | at Async._drainQueue (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/async.js:133:16)
fiware-keyrock-1 | at Async._drainQueues (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/async.js:143:10)
fiware-keyrock-1 | at Immediate.Async.drainQueues [as _onImmediate] (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/async.js:17:14)
fiware-keyrock-1 | at processImmediate (internal/timers.js:461:21)
So right now, I can only use 7.9.2 but am unable to control access in any way as simply having an access token allows access outside permissions granted to roles.
Please can you help.
Kind regards
Taz
Chalmers University of Technology
__________________________________________________________________________________________
You can get more information about our cookies and privacy policies on the following links:
fiware-tech-help mailing list
fiware-tech-help@lists.fiware.org
To unsubscribe from fiware-tech-help mailing list, go to the information page of the list at:
https://lists.fiware.org/listinfo/fiware-tech-help
[Created via e-mail received from: Taz Lodder <taz@chalmers.se>]
Activity
- All
- Comments
- History
- Activity
- Transitions