+
Skip to content

Issue with "403 Forbidden" Access /admin/realms/{realm}/authentication/executions/{executionId} #36121

New issue
New issue
Closed
#36299
Closed
Issue with "403 Forbidden" Access /admin/realms/{realm}/authentication/executions/{executionId}#36121
#36299
Assignees
rmartinc
Labels
area/admin/apikind/bugCategorizes a PR related to a bugpriority/normalrelease/26.1.0team/core-clients
@chemicalbrother

Description

@chemicalbrother
chemicalbrother
opened on Dec 23, 2024

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/api

Describe the bug

We are facing an issue with access to the requested resource in Keycloak when using a read-only user account to run terraform plan during a merge request process in our GitLab CI/CD pipeline.

Environment:

  • Keycloak is managed via a Terraform module(create users, groups, roles, clients, idp, authentication flows).
  • The code is stored in a GitLab project where only project owners can approve and merge changes, but anyone in the company can contribute.
  • Two user accounts are created in the master realm in Keycloak:
    • Read-only account with the following roles (use only for MR):
      • query-clients, query-groups, query-realms, query-users, view-authorization, view-clients, view-events, view-identity-providers, view-realm, view-users
    • Write access account with appropriate roles for modification (use when merge in master)

Possible Causes:

  • It appears that the read-only account does not have the necessary permissions to access certain administrative resources in Keycloak, particularly related to authentication executions. The roles that have been assigned do not seem to grant sufficient permissions for these specific resources.

Solution/Request:

  • We would like to request clarification or a solution on how to properly configure the read-only user account to allow access to the required resources for Terraform plan execution without encountering 403 Forbidden.
  • Is there a way to provide these permissions to the read-only user (possibly via a custom role or additional policy) without giving excessive write access or admin privileges?

We would appreciate guidance on the correct role setup for read-only access to authentication-related configurations and any adjustments needed for the terraform plan process to work smoothly for users with read-only access.

Version

26.0.7

Regression

  • The issue is a regression

Expected behavior

The read-only account with roles query-realms, view-realms, should be able to execute a terraform plan without encountering access issues, as it only requires read access to configurations, not modification.

Actual behavior

The read-only account encounters a 403 Forbidden error when trying to access authentication executions via the API:
GET request to /admin/realms/{realm}/authentication/executions/{executionId}: 403 Forbidden

How to Reproduce?

  1. Get the Bearer token for read-only account:
curl --location 'http://keycloak.example.com/auth/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username={user-read-only}' \
--data-urlencode 'password={password}'
  1. Then we list executions in authentication flow(for example first broker login)
curl --location 'http://keycloak.example.com/auth/admin/realms/master/authentication/flows/first broker login/executions' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {access_token}'

This return something like this:

{
    "id": "3aa666c5-7ac6-4cbd-8f5e-471d06d4c136",
    "requirement": "REQUIRED",
    "displayName": "Review Profile",
    "alias": "review profile config",
    "requirementChoices": [
        "REQUIRED",
        "ALTERNATIVE",
        "DISABLED"
    ],
    "configurable": true,
    "providerId": "idp-review-profile",
    "authenticationConfig": "e94acafa-d509-4eff-a04d-3d3b1ebf0a3f",
    "level": 0,
    "index": 0,
    "priority": 10
}
  1. Then after we get executions id, we can try to execute
curl --location 'http://keycloak.example.com/auth/admin/realms/master/authentication/executions/3aa666c5-7ac6-4cbd-8f5e-471d06d4c136' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {access_token}'

And returned:

"error": "HTTP 403 Forbidden"

if i add a role manage-realm to the user and repeat step number 3 the result will be as follows:

{
    "authenticatorConfig": "e94acafa-d509-4eff-a04d-3d3b1ebf0a3f",
    "authenticator": "idp-review-profile",
    "authenticatorFlow": false,
    "requirement": "REQUIRED",
    "priority": 10,
    "autheticatorFlow": false,
    "id": "3aa666c5-7ac6-4cbd-8f5e-471d06d4c136",
    "parentFlow": "834efbde-79b7-4fc4-8753-624b999036af"
}

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/admin/apikind/bugCategorizes a PR related to a bugpriority/normalrelease/26.1.0team/core-clients

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载