Skip to content

REDHAT SSO issue report regarding `admin service account` authorization via API

Jump to bottom
Junmin Ahn edited this page Jun 3, 2021 · 8 revisions

Describe the issue A new client default service account with admin role does not have actual admin privileges via API.

Steps to reproduce

  1. Create a new client using the openid-connect protocol in Master realm.
  2. Set Access Type to confidential.
  3. Set Standard Flow Enabled to OFF.
  4. Set Direct Access Grants Enabled to OFF.
  5. Set Service Accounts Enabled to ON.
  6. Grant admin role in Service Account Roles tab.
  7. Make attampts to do admin actions via API
  • example code
const KcAdminClient = require("keycloak-admin").default;

const KEYCLOAK_URL = "<KEYCLOAK_URL>";
const KEYCLOAK_CLIENT_ID = "<KEYCLOAK_CLIENT_ID>";
const KEYCLOAK_CLIENT_SECRET = "<KEYCLOAK_CLIENT_SECRET>";

const kcAdminClient = new KcAdminClient({
  baseUrl: `${KEYCLOAK_URL}/auth`,
  realmName: "master",
});

async function main() {
  try {
    await kcAdminClient.auth({
      grantType: "client_credentials",
      clientId: KEYCLOAK_CLIENT_ID,
      clientSecret: KEYCLOAK_CLIENT_SECRET,
    });

    const info = await kcAdminClient.serverInfo.find();
    console.log(info);
  } catch ({ response }) {
    console.log(response.status); // 400
    console.log(response.statusText); // 'Bad request'
    console.log(response.data); // '<html><body><h1>400 Bad request</h1>\nYour browser sent an invalid request.\n</body></html>'
  }
}

main();

Expected outcome It should print the information of the Keycloak server that the script requests for.

Environment

  • Server Version: 7.4.4.GA
  • Server Profile: Product
  • Disabled Features: ACCOUNT2, ACCOUNT_API, ADMIN_FINE_GRAINED_AUTHZ, DOCKER, OPENSHIFT_INTEGRATION, SCRIPTS, TOKEN_EXCHANGE, UPLOAD_SCRIPTS, WEB_AUTHN
  • Preview Features: ACCOUNT2, ACCOUNT_API, ADMIN_FINE_GRAINED_AUTHZ, OPENSHIFT_INTEGRATION, SCRIPTS, TOKEN_EXCHANGE, WEB_AUTHN
  • Java Version: 11.0.9.1
  • Java Vendor: Red Hat, Inc.
  • Java Runtime: OpenJDK Runtime Environment
  • Java VM: OpenJDK 64-Bit Server VM
  • Java VM Version: 11.0.9.1+1-LTS
  • Java Home: /usr/lib/jvm/java-11-openjdk-11.0.9.11-3.el8_3.x86_64
  • User Timezone: GMT
  • User Locale: us_EN
  • System Encoding: ANSI_X3.4-1968
  • Operating System: Linux 4.18.0-193.47.1.el8_2.x86_64
  • OS Architecture: amd64

Additional Context:

  • The script does not work with a new client manually created following the steps of Steps to reproduce.
  • The script works with the default client admin-cli in the Master realm.
  • The script does not work with the new client created with the exported JSON of working client admin-cli.
  • The script works with a custom client in Keycloak 13.0.1, but Redhat Single Sign-on 7.4.4.GA.

Possible Approach:

Approach Applied:

  • We resolved this issue by giving specific clients' roles to the service account.
  • To give clients' roles to the service account and apply, follow the steps below:
    1. Create a new client using the openid-connect protocol in Master realm.
    2. Set Access Type to confidential.
    3. Set Standard Flow Enabled to OFF.
    4. Set Direct Access Grants Enabled to OFF.
    5. Set Service Accounts Enabled to ON.
    6. In the Service Account Roles tab
    7. Select a specific client in the Client Roles section and assign all roles available for the client.
    8. Repeat the step above for other target realm clients.
    9. In the Scope tab
    10. Select a specific client in the Client Roles section and assign all roles available for the client.
    11. Repeat the step above for other target realm clients.
  • Do not grant the admin role to the service account to avoid large token size.
  • The proxy realm client name is <realm_name>-realm.
Clone this wiki locally