Setting authorization resource owner does not work or fails

[HendrikJanssen]

Current Behavior

When I want to set the owner of a resource, keycloak-config-cli either fails to create the resource (400 Bad request) is returned, or the owner is not set when updating the resource.

"resources": [
  {
    "name": "testresource",
    "type": "urn:testrealm:resources:test",
    "ownerManagedAccess": false,
    "owner": {
      "name": "testuser"
     },
     "uri": "/*",
     "scopes": [
       {
         "name":  "testscope"
       }
     ]
   }
]

Expected Behavior

The resource owner should be set accordingly.

Steps To Reproduce

1. Create a minimal realm with a user and a confidential client
2. Enable authorization on client
3. Try to create or update a resource with an owner (either via id or username) as shown above.

Either - when creating a 400 Bad request is returned from the cli
Or - when updating a resource nothing happens and keycloak-config-cli reports a successful update

Environment

Im using the docker hub image version of keycloak-config-cli

• Keycloak Version: 15.0.2
• keycloak-config-cli Version: adorsys/keycloak-config-cli:v4.4.0-15.0.2
• Java Version: seems to be 17 in the image

Anything else?

I am not sure what happens here since the request body is not printed out sadly. I do know that setting a resource owner is pretty finicky via the admin CLI. If this is a missing feature and not a bug I would gladly support with an PR, but maybe this is supposed to work, so Im opening an Issue first.

[jkroepke]

Hi, a complete realm json that include the steps to reproduce the issue would help here a lot.

I am not sure what happens here since the request body is not printed out sadly

By define --logging.level.http=debug, all HTTP requests are dumped.

[HendrikJanssen]

This is with a clean docker image of keycloak, configured to use a postgres db (also docker image). First run of keycloak-config-cli, after waiting for keycloak to start.

Minimal realm json:

{
  "id": "test",
  "realm": "test",
  "enabled": true,
  "users": [
    {
      "username": "testuser",
      "enabled": true,
      "totp": false,
      "emailVerified": true,
      "credentials": [
        {
          "type": "password",
          "value": "test"
        }
      ]
    }
  ],
  "clients": [
    {
      "clientId": "test-client",
      "name": "test-client",
      "enabled": true,
      "clientAuthenticatorType": "client-secret",
      "authorizationServicesEnabled": true,
      "serviceAccountsEnabled": true,
      "redirectUris": [
        "*"
      ],
      "webOrigins": [
        "*"
      ],
      "authorizationSettings": {
        "allowRemoteResourceManagement": true,
        "decisionStrategy": "AFFIRMATIVE",
        "policyEnforcementMode": "ENFORCING",
        "resources": [
          {
            "name": "testresource",
            "displayName": "testresource",
            "type": "urn:test-client:resources:test",
            "ownerManagedAccess": false,
            "owner": {
              "name": "testuser"
            },
            "uri": "/*"
          }
        ],
        "policies": []
      }
    }
  ]
}

Outgoing request is:

{"name":"testresource","type":"urn:test-client:resources:test","owner":{"id":null,"name":"testuser"},"ownerManagedAccess":false,"displayName":"testresource","attributes":null,"_id":null,"uris":["/*"],"icon_uri":null}

Response:

{"error":"invalid_request","error_description":"You must specify the resource owner."}

The user is definitly created before that so it does not seem to be related to an ordering issue.

Interestingly, when i create the resource without an owner via keycloak-config-cli, and then set the owner with the id:

{"name":"testresource","type":"urn:test-client:resources:test","owner":{"id":"a8bdb0f6-9080-4830-b844-fcaf6a0d9464","name":null},"ownerManagedAccess":false,"displayName":"testresource","attributes":null,"_id":null,"uris":["/*"],"icon_uri":null}

I get an 500 from Keycloak with Exception in the logs Owner must be a valid username or user identifier. If the resource server, the client id or null (Not sure whats up with the message?)

Seems unrelated to keycloak-config-cli though.

[jkroepke]

The user is definitly created before that so it does not seem to be related to an ordering issue.

Keycloak is expecting an id here.

https://github.com/keycloak/keycloak/blob/bfce612641a70e106b20b136431f0e4046b5c37f/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java#L120-L124

But keycloak allows to define the username as id here, too:

https://github.com/keycloak/keycloak/blob/bfce612641a70e106b20b136431f0e4046b5c37f/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java#L2645-L2653

Interestingly, when i create the resource without an owner, and then set the owner with the id:

Keycloak set an owner, if none is defined.

https://github.com/keycloak/keycloak/blob/bfce612641a70e106b20b136431f0e4046b5c37f/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java#L114-L118

I get an 500 from Keycloak with Exception in the logs Owner must be a valid username or user identifier. If the resource server, the client id or null (Not sure whats up with the message?)

Feels strange. The error occurs only if there is no matching user.

https://github.com/keycloak/keycloak/blob/bfce612641a70e106b20b136431f0e4046b5c37f/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java#L2645-L2649

Changing the owner.name to owner.id works here

{
  "id": "test",
  "realm": "test",
  "enabled": true,
  "users": [
    {
      "username": "testuser",
      "enabled": true,
      "totp": false,
      "emailVerified": true,
      "credentials": [
        {
          "type": "password",
          "value": "test"
        }
      ]
    }
  ],
  "clients": [
    {
      "clientId": "test-client",
      "name": "test-client",
      "enabled": true,
      "clientAuthenticatorType": "client-secret",
      "authorizationServicesEnabled": true,
      "serviceAccountsEnabled": true,
      "redirectUris": [
        "*"
      ],
      "webOrigins": [
        "*"
      ],
      "authorizationSettings": {
        "allowRemoteResourceManagement": true,
        "decisionStrategy": "AFFIRMATIVE",
        "policyEnforcementMode": "ENFORCING",
        "resources": [
          {
            "name": "testresource",
            "displayName": "testresource",
            "type": "urn:test-client:resources:test",
            "ownerManagedAccess": false,
            "owner": {
              "id": "testuser"
            },
            "uri": "/*"
          }
        ],
        "policies": []
      }
    }
  ]
}

But keycloak-config-cli will always update this resource since keycloak would always report the id of the user instead of the username. This may only happens, if the import json has been changed.

[jkroepke]

It looks like Keycloak excepts the username of an owner inside the id field instead of the name field. But if the resource is GET through the API, then the username is inside the owner.name field instead owner.id field.

Looks like an inconstancy here. I added a patch which set the username as id before sending the REST call to keycloak. #590

[jkroepke]

@HendrikJanssen in case the error still exists, just reach me out here.

The PR title is a little bit misleading here.

For Keycloak, only the id of the owner property matters. If id is null and name is set, keycloak config cli will copy the value from name to id.

[HendrikJanssen]

Thank you very much, that was pretty fast! A quick question though: Which image should I use to test the PR changes? Is edge the right one? latest-15.0.2 seems to have been pushed 11 days ago, which would not include the PR changes if I understand correctly

[HendrikJanssen]

Nevermind, it's documented clearly in the readme, I'm sorry 😄