Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read Only Access of a realm clients' Authz is broken for Admin Console #24586

Closed
1 task done
SalemWafi opened this issue Nov 6, 2023 · 3 comments · Fixed by #24879
Closed
1 task done

Read Only Access of a realm clients' Authz is broken for Admin Console #24586

SalemWafi opened this issue Nov 6, 2023 · 3 comments · Fixed by #24879
Assignees
@hmlnarik
Labels
area/admin/ui impact/high kind/bug Categorizes a PR related to a bug release/23.0.5 team/ui

Comments

@SalemWafi
Copy link
Contributor

SalemWafi commented Nov 6, 2023
edited

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/ui

Describe the bug

Users in the master realm who have view-authorization role of a sub realm can't see the "Authorization" tab of the clients (that has authorization enabled) of that sub realm.

Version

22.0.3

Expected behavior

Users in the master realm who have view-authorization role of a sub realm should be able to see the "Authorization" tab of the clients (that have authorization enabled) of that sub realm.

Actual behavior

Users in the master realm who have view-authorization role of a sub realm can't see the "Authorization" tab of the clients (that has authorization enabled) of that sub realm.

How to Reproduce?

  1. Create a User in the master realm and assign these roles to that user (Make sure to assign your sub realm view-authorization role to that user).

KC1

  1. Login/impersonate that user, then go to your sub realm clients and click on one of the clients in that realm that has Authorization enabled.
    You won't be able to see the "Authorization" tab even tho that you have the role view-authorization of that sub realm:

KC2

Anything else?

If I assign the sub realm manage-authorization role to that user, the "Authorization" tab shows up, but of course, the user will have write access to the Authorizations tab, which is not a desirable solution for read-only users.

KC3
@SalemWafi SalemWafi added kind/bug Categorizes a PR related to a bug status/triage labels Nov 6, 2023
@ssilvert
Copy link
Contributor

ssilvert commented Nov 7, 2023

I have verified this bug.

@hmlnarik hmlnarik self-assigned this Nov 7, 2023
@SalemWafi
Copy link
Contributor Author

Hi @hmlnarik

Since you took this issue, this info might be helpful for you:

I think I have already found the cause of this bug.

The check for "view-authorization" is missing in this line of code: code_line_link
as you see the line "{client!.authorizationServicesEnabled && hasManageAuthorization && ("
should be instead "{client!.authorizationServicesEnabled && (hasManageAuthorization || hasViewAuthorization) && ("
where: "const hasViewAuthoriztion= hasAccess("view-authorization");"

CC: @ssilvert

hmlnarik added a commit to hmlnarik/keycloak that referenced this issue Nov 21, 2023
@hmlnarik
Support OR condition for forms + authz
f802be1 
Closes: keycloak#24586

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
@hmlnarik hmlnarik mentioned this issue Nov 21, 2023
Merged
hmlnarik added a commit to hmlnarik/keycloak that referenced this issue Nov 21, 2023
@hmlnarik
Support OR condition for forms + authz
30d227f 
Closes: keycloak#24586

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
@SalemWafi
Copy link
Contributor Author

SalemWafi commented Nov 27, 2023
edited

@hmlnarik I found a related issue, in case you have some spare time to work on it :)
Thanks in advance!!

#25054
debugged_code_link

ssilvert pushed a commit that referenced this issue Nov 28, 2023
@hmlnarik
Support OR condition for forms + authz (#24879)
c03c2e9 
Closes: #24586

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
srose pushed a commit to srose/keycloak that referenced this issue Dec 20, 2023
@hmlnarik @srose
Support OR condition for forms + authz (keycloak#24879)
f37b5dd 
Closes: keycloak#24586

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
hmlnarik added a commit to hmlnarik/keycloak that referenced this issue Jan 11, 2024
@hmlnarik
Support OR condition for forms + authz (keycloak#24879)
f29c27b 
Closes: keycloak#24586

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
(cherry picked from commit c03c2e9)
@hmlnarik hmlnarik mentioned this issue Jan 11, 2024
Merged
hmlnarik added a commit that referenced this issue Jan 11, 2024
@hmlnarik
Support OR condition for forms + authz (#24879)
cdf60fc 
Closes: #24586

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
(cherry picked from commit c03c2e9)
kamontat pushed a commit to kamontat/keycloak that referenced this issue Jan 20, 2024
@hmlnarik @kamontat
Support OR condition for forms + authz (keycloak#24879)
d1c451d 
Closes: keycloak#24586

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
Signed-off-by: Kamontat Chantrachirathumrong <14089557+kamontat@users.noreply.github.com>
ShefeeqPM pushed a commit to ShefeeqPM/keycloak that referenced this issue Jan 27, 2024
@hmlnarik @ShefeeqPM
Support OR condition for forms + authz (keycloak#24879)
38eacbc 
Closes: keycloak#24586

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
Signed-off-by: ShefeeqPM <86718986+ShefeeqPM@users.noreply.github.com>
hmlnarik added a commit to hmlnarik/keycloak that referenced this issue Mar 1, 2024
@hmlnarik
Read Only Access of a realm clients' Authz is broken for Admin Console
e3e92f0 
Fixes keycloak#24586

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
hmlnarik added a commit that referenced this issue Mar 1, 2024
@hmlnarik
Read Only Access of a realm clients' Authz is broken for Admin Console
486c21c 
Fixes #24586

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
ahus1 pushed a commit to ahus1/keycloak that referenced this issue Mar 22, 2024
@hmlnarik @ahus1
Read Only Access of a realm clients' Authz is broken for Admin Console
a90702a 
Fixes keycloak#24586

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hmlnarik hmlnarik

Labels
area/admin/ui impact/high kind/bug Categorizes a PR related to a bug release/23.0.5 team/ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support OR condition for forms + authz hmlnarik/keycloak
4 participants
@ssilvert @jonkoops @hmlnarik @SalemWafi