Unable to perform Level 2: Basic Authorization
Created by: thomaskoeck
Hi,
I need some help please: I want to perform Level 2 basic authorization. So I created a new role in my application on keyrock (idm) and created two new permissions: One that has the HTTP verb GET and /test1 as resource and one that has POST as HTTP verb and /test2 as resource, but I did not yet assign these permissions to my newly created role. I created these two resources just for testing purposes. All they do is that they send back a text message that tell me if I could access these resources. My newly created role I assigned to one of my registered users.
Using Chrome's Advanced REST Client I sent a GET and POST request for these resources to the pep-proxy. For both requests I got a response of 401 Unauthorized, which is fine since I did not include a X-Auth-Token in these requests yet. Then I performed the authentication with the oauth2 example-client and got back my token. I copied the token into the header field and sent the same requests to the pep-proxy again. In both cases I got back a 200 OK message and the dedicated success messages that I created. But actually this should not be the case. Instead I should get back a 401 Unauthorized messages since the role of the user, which I am logged in as, does not have the permissions to access these resources.
Why can I still access these resources? It seems to me the only thing that is checked is if the token is valid or not. As soon as the token is valid, the user can access whatever he wants. Did I do something wrong?
I run everything as docker containers. Here is some log output for the GET request:
pep | 2016-11-25 12:44:05.300 - INFO: IDM-Client - Token in cache, checking timestamp... pep | 2016-11-25 12:44:05.300 - INFO: IDM-Client - Token in cache expired pep | 2016-11-25 12:44:05.300 - INFO: IDM-Client - Checking token with IDM... keyrock | 2016-11-25 12:44:05.331 34 INFO eventlet.wsgi.server [-] 172.18.0.7 - - [25/Nov/2016 12:44:05] "GET /v3/access-tokens/nalLDoB334Z3BItu0ytcoUJOmOC3m2 HTTP/1.1" 200 394 0.026148 pep | 2016-11-25 12:44:05.332 - INFO: AZF-Client - Checking auth with AZF... pep | 2016-11-25 12:44:05.332 - INFO: AZF-Client - Checking authorization to roles [ '5fedd57e74c94a9b993db26b145c1035' ] to do GET on test1 and app eb5fc491be0d4edd946cc6ce20a096b3 pep | 2016-11-25 12:44:05.332 - INFO: AZF-Client - Checking auth with AZF... pep | 2016-11-25 12:44:05.345 - INFO: Root - Access-token OK. Redirecting to app...
I hope someone can help me with this.
Best regards, Thomas