having trouble with has_uma_access

[sebovzeoueb]

I may be missing a trick here, but I'm unable to get the has_uma_access method of the OpenID client to work for me.

I've successfully created an OpenID client, and the uma_permissions method is working as expected, however has_uma_access is not-

Here's what I'm getting:

My code:

    print(keycloak_client.uma_permissions(token["access_token"]))
    print(keycloak_client.uma_permissions(token["access_token"], "41d7f2f6-58b0-4010-b1eb-a19406e619d9#read"))
    print(keycloak_client.has_uma_access(token["access_token"], "41d7f2f6-58b0-4010-b1eb-a19406e619d9#read"))

My console:

[{'scopes': ['read', 'create', 'update', 'delete'], 'rsid': 'ee9c0267-85cf-4471-9107-6897ebc98521', 'rsname': 'test'}, {'scopes': ['read', 'create', 'update', 'delete'], 'rsid': '41d7f2f6-58b0-4010-b1eb-a19406e619d9', 'rsname': 'all'}]
[{'scopes': ['read'], 'rsid': '41d7f2f6-58b0-4010-b1eb-a19406e619d9', 'rsname': 'all'}]
AuthStatus(is_authorized=False, is_logged_in=True, missing_permissions={'41d7f2f6-58b0-4010-b1eb-a19406e619d9#read'})

From the scant examples I've been able find online of how to use this, I've followed the suggested way to call those methods. I clearly have the correct permissions because the first two calls are showing them, however has_uma_access is telling me the permissions are missing. From the Keycloak documentation it looks like I'm maybe supposed to get a new token containing the authorization info, but I don't see the steps to do that in the Python client, and I would assume has_uma_access would act as a helper to do that for me.

Am I doing something wrong or is there a bug here?

[ryshoooo]

Hi @sebovzeoueb

Unfortunately this part of the flow I'm not super familiar with. From what I can see what the code is doing, the permission name is constructed as {rs_name}#{scope}, i.e. in your case the permissions parameter should be all#read?

Can you check what happens here?

    print(keycloak_client.uma_permissions(token["access_token"]))
    print(keycloak_client.uma_permissions(token["access_token"], "all#read"))
    print(keycloak_client.has_uma_access(token["access_token"], "all#read"))

And whether this works or fails?

[sebovzeoueb]

Huh, this is weird, I could have sworn I was getting some kind of error when using a resource name instead of an ID about it not being able to find the resource with that ID, but it now seems to be working as you suggest.

I still find it odd however that the other method will work with an ID and not this one. You'd think the same permissions string would give the same result.

[sebovzeoueb]

Also I would actually like to be able to use the ID because resources can have the same resource name (I'm using this property to allow different users to create a private resource with the same name), but the ID is always unique. I've wrapped the API that I believe this one is supposed to match, and it does work with ID when calling it directly:

def authorize(token, resource, scope: str | None = None):
    try:
        permission = resource
        if scope:
            permission += f"#{scope}"
        authorized = requests.post(
            keycloak_openid_config["token_endpoint"],
            {
                "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
                "audience": "concierge-auth",
                "permission": permission,
                "response_mode": "decision",
            },
            headers={"Authorization": f"Bearer {token}"},
        ).json()
        return authorized["result"]
    except Exception:
        return False