[Fiware-tech-help] Keyrock IDM: 7.9.2 Successful requests when authorization_decision: Deny | 8.1.0 + 8.0.0 fail to get token

Taz Lodder taz at chalmers.se
Thu Nov 11 10:32:45 CET 2021
Previous message: [Fiware-tech-help] QuantumLeap REST API support for TimescaleDB
Next message: [Fiware-tech-help] Too easy to disable admin in Keyrock IDM interface
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi


I am having all sorts of issues with several versions of Keyrock IDM.


Version 7.9.2:


Issue: When authorization_decision is deny for resource, sending an API request still successfully returns results.


Steps to reproduce


1 Generate authorization key:

$ echo -n 59b...e90:131...51c | base64 -w 0

NTli...Yw==


2 In the Keyrock frontend, create "User" role and add user at email.com to it. Deliberately do not grant any permissions to the "User" role.


3 Generate access token:

$ curl -X POST 'http://localhost:3005/oauth2/token' -H 'Accept: application/json' -H 'Authorization: Basic NTli...Yw==' -H 'Content-Type: application/x-www-form-urlencoded' --data "username=user at email.com&password=password&grant_type=password"
{"access_token":"080...495","token_type":"bearer","expires_in":3599,"refresh_token":"ee8...1a3","scope":["bearer"]}


4 Verify authorization_decision is "Deny" for /v2/subscription which has not been granted as a permission for the "User" role:

$ curl 'http://localhost:3005/user?access_token=080...495&action=GET&resource=/v2/subscriptions/&app_id=59b-4...b-950'

{"organizations":[],"displayName":"","roles":[{"id":"606...65f","name":"User"}],"app_id":"59b...e90","trusted_apps":[],"isGravatarEnabled":"","id":"174...0bf","authorization_decision":"Deny","app_azf_domain":"","eidas_profile":{},"attributes":{},"shared_attributes":"","username":"username","email":"user at email.com","image":"","gravatar":"","extra":""}


4 Successfully get list of subscriptions:

$ curl -i --insecure -X GET https://localhost/v2/subscriptions/ -H 'X-Auth-token: 080...495'
HTTP/2 200

The IDM log shows:

Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller  --> authenticate_token
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller  --> authenticate_jwt
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller Error JsonWebTokenError: jwt malformed
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth_controller  --> authenticate_bearer
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server -------getAccesToken-------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server -------create_oauth_response-------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server -------search_user_info-------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server -------trusted_applications-------
Thu, 11 Nov 2021 08:54:14 GMT idm:oauth2-model_oauth_server -------user_roles-------


I tried upgrading to 8.1.0 but get an error when trying to generate an access token - which I also got when rolling back to 8.0.0:

$ curl -X POST 'http://localhost:3005/oauth2/token' -H 'Accept: application/json' -H 'Authorization: Basic NTli...Yw==' -H 'Content-Type: application/x-www-form-urlencoded' --data "username=user at email.com&password=password&grant_type=password"

"Cannot read property 'includes' of undefined"

The IDM log shows:
fiware-keyrock-1         | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth_controller  --> token
fiware-keyrock-1         | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth_controller {
fiware-keyrock-1         |   username: 'user at email.com',
fiware-keyrock-1         |   password: 'password',
fiware-keyrock-1         |   grant_type: 'password'
fiware-keyrock-1         | }
fiware-keyrock-1         | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server -------getClient-------
fiware-keyrock-1         | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server -------getIdentity-------
fiware-keyrock-1         | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server 59b...e90
fiware-keyrock-1         | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server -------validateScope-------
fiware-keyrock-1         | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server -------saveToken-------
fiware-keyrock-1         | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server -------storeToken-------
fiware-keyrock-1         | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth2-model_oauth_server saveToken - Err:  DatabaseError [SequelizeDatabaseError]: Unknown column 'hash' in 'field list'
fiware-keyrock-1         |     at Query.formatError (/opt/fiware-idm/node_modules/sequelize/lib/dialects/mysql/query.js:247:16)
fiware-keyrock-1         |     at Query.handler [as onResult] (/opt/fiware-idm/node_modules/sequelize/lib/dialects/mysql/query.js:68:23)
fiware-keyrock-1         |     at Query.execute (/opt/fiware-idm/node_modules/mysql2/lib/commands/command.js:30:14)
fiware-keyrock-1         |     at Connection.handlePacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:408:32)
fiware-keyrock-1         |     at PacketParser.onPacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:70:12)
fiware-keyrock-1         |     at PacketParser.executeStart (/opt/fiware-idm/node_modules/mysql2/lib/packet_parser.js:75:16)
fiware-keyrock-1         |     at Socket.<anonymous> (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:77:25)
fiware-keyrock-1         |     at Socket.emit (events.js:314:20)
fiware-keyrock-1         |     at addChunk (_stream_readable.js:297:12)
fiware-keyrock-1         |     at readableAddChunk (_stream_readable.js:272:9)
fiware-keyrock-1         |     at Socket.Readable.push (_stream_readable.js:213:10)
fiware-keyrock-1         |     at TCP.onStreamRead (internal/stream_base_commons.js:188:23) {
fiware-keyrock-1         |   parent: Error: Unknown column 'hash' in 'field list'
fiware-keyrock-1         |       at Packet.asError (/opt/fiware-idm/node_modules/mysql2/lib/packets/packet.js:708:17)
fiware-keyrock-1         |       at Query.execute (/opt/fiware-idm/node_modules/mysql2/lib/commands/command.js:28:26)
fiware-keyrock-1         |       at Connection.handlePacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:408:32)
fiware-keyrock-1         |       at PacketParser.onPacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:70:12)
fiware-keyrock-1         |       at PacketParser.executeStart (/opt/fiware-idm/node_modules/mysql2/lib/packet_parser.js:75:16)
fiware-keyrock-1         |       at Socket.<anonymous> (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:77:25)
fiware-keyrock-1         |       at Socket.emit (events.js:314:20)
fiware-keyrock-1         |       at addChunk (_stream_readable.js:297:12)
fiware-keyrock-1         |       at readableAddChunk (_stream_readable.js:272:9)
fiware-keyrock-1         |       at Socket.Readable.push (_stream_readable.js:213:10)
fiware-keyrock-1         |       at TCP.onStreamRead (internal/stream_base_commons.js:188:23) {
fiware-keyrock-1         |     code: 'ER_BAD_FIELD_ERROR',
fiware-keyrock-1         |     errno: 1054,
fiware-keyrock-1         |     sqlState: '42S22',
fiware-keyrock-1         |     sqlMessage: "Unknown column 'hash' in 'field list'",
fiware-keyrock-1         |     sql: "INSERT INTO `oauth_access_token` (`hash`,`access_token`,`expires`,`scope`,`valid`,`oauth_client_id`,`user_id`,`iot_id`,`refresh_token`,`authorization_code`) VALUES ('efb...1f2','986...b89','2021-11-11 10:22:44','bearer',true,'59b...e90','174...0bf',NULL,'b88...4a4',NULL);"
fiware-keyrock-1         |   },
fiware-keyrock-1         |   original: Error: Unknown column 'hash' in 'field list'
fiware-keyrock-1         |       at Packet.asError (/opt/fiware-idm/node_modules/mysql2/lib/packets/packet.js:708:17)
fiware-keyrock-1         |       at Query.execute (/opt/fiware-idm/node_modules/mysql2/lib/commands/command.js:28:26)
fiware-keyrock-1         |       at Connection.handlePacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:408:32)
fiware-keyrock-1         |       at PacketParser.onPacket (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:70:12)
fiware-keyrock-1         |       at PacketParser.executeStart (/opt/fiware-idm/node_modules/mysql2/lib/packet_parser.js:75:16)
fiware-keyrock-1         |       at Socket.<anonymous> (/opt/fiware-idm/node_modules/mysql2/lib/connection.js:77:25)
fiware-keyrock-1         |       at Socket.emit (events.js:314:20)
fiware-keyrock-1         |       at addChunk (_stream_readable.js:297:12)
fiware-keyrock-1         |       at readableAddChunk (_stream_readable.js:272:9)
fiware-keyrock-1         |       at Socket.Readable.push (_stream_readable.js:213:10)
fiware-keyrock-1         |       at TCP.onStreamRead (internal/stream_base_commons.js:188:23) {
fiware-keyrock-1         |     code: 'ER_BAD_FIELD_ERROR',
fiware-keyrock-1         |     errno: 1054,
fiware-keyrock-1         |     sqlState: '42S22',
fiware-keyrock-1         |     sqlMessage: "Unknown column 'hash' in 'field list'",
fiware-keyrock-1         |     sql: "INSERT INTO `oauth_access_token` (`hash`,`access_token`,`expires`,`scope`,`valid`,`oauth_client_id`,`user_id`,`iot_id`,`refresh_token`,`authorization_code`) VALUES ('efb...1f2','986...b89','2021-11-11 10:22:44','bearer',true,'59b...e90','174...0bf',NULL,'b88...4a4',NULL);"
fiware-keyrock-1         |   },
fiware-keyrock-1         |   sql: "INSERT INTO `oauth_access_token` (`hash`,`access_token`,`expires`,`scope`,`valid`,`oauth_client_id`,`user_id`,`iot_id`,`refresh_token`,`authorization_code`) VALUES ('efb...1f2','986...b89','2021-11-11 10:22:44','bearer',true,'59b...e90','174...0bf',NULL,'b88...4a4',NULL);"
fiware-keyrock-1         | }
fiware-keyrock-1         | Thu, 11 Nov 2021 09:22:44 GMT idm:oauth_controller Error  server_error: Cannot read property 'includes' of undefined
fiware-keyrock-1         |     at new ServerError (/opt/fiware-idm/node_modules/oauth2-server/lib/errors/server-error.js:25:14)
fiware-keyrock-1         |     at TokenHandler.<anonymous> (/opt/fiware-idm/node_modules/oauth2-server/lib/handlers/token-handler.js:107:13)
fiware-keyrock-1         |     at TokenHandler.tryCatcher (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/util.js:16:23)
fiware-keyrock-1         |     at Promise._settlePromiseFromHandler (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:512:31)
fiware-keyrock-1         |     at Promise._settlePromise (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:569:18)
fiware-keyrock-1         |     at Promise._settlePromise0 (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:614:10)
fiware-keyrock-1         |     at Promise._settlePromises (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:689:18)
fiware-keyrock-1         |     at Async._drainQueue (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/async.js:133:16)
fiware-keyrock-1         |     at Async._drainQueues (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/async.js:143:10)
fiware-keyrock-1         |     at Immediate.Async.drainQueues [as _onImmediate] (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/async.js:17:14)
fiware-keyrock-1         |     at processImmediate (internal/timers.js:461:21) {
fiware-keyrock-1         |   statusCode: 503,
fiware-keyrock-1         |   status: 503,
fiware-keyrock-1         |   code: 503,
fiware-keyrock-1         |   inner: TypeError: Cannot read property 'includes' of undefined
fiware-keyrock-1         |       at new TokenModel (/opt/fiware-idm/node_modules/oauth2-server/lib/models/token-model.js:18:18)
fiware-keyrock-1         |       at TokenHandler.<anonymous> (/opt/fiware-idm/node_modules/oauth2-server/lib/handlers/token-handler.js:102:19)
fiware-keyrock-1         |       at PassThroughHandlerContext.finallyHandler (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/finally.js:57:23)
fiware-keyrock-1         |       at PassThroughHandlerContext.tryCatcher (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/util.js:16:23)
fiware-keyrock-1         |       at Promise._settlePromiseFromHandler (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:512:31)
fiware-keyrock-1         |       at Promise._settlePromise (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:569:18)
fiware-keyrock-1         |       at Promise._settlePromise0 (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:614:10)
fiware-keyrock-1         |       at Promise._settlePromises (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/promise.js:693:18)
fiware-keyrock-1         |       at Async._drainQueue (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/async.js:133:16)
fiware-keyrock-1         |       at Async._drainQueues (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/async.js:143:10)
fiware-keyrock-1         |       at Immediate.Async.drainQueues [as _onImmediate] (/opt/fiware-idm/node_modules/oauth2-server/node_modules/bluebird/js/release/async.js:17:14)
fiware-keyrock-1         |       at processImmediate (internal/timers.js:461:21)
fiware-keyrock-1         | }


So right now, I can only use 7.9.2 but am unable to control access in any way as simply having an access token allows access outside permissions granted to roles.

Please can you help.

Kind regards
Taz
Chalmers University of Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-tech-help/attachments/20211111/f5d75a00/attachment-0001.html>
Previous message: [Fiware-tech-help] QuantumLeap REST API support for TimescaleDB
Next message: [Fiware-tech-help] Too easy to disable admin in Keyrock IDM interface
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Fiware-tech-help mailing list
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy