datakaveri / iudx-aaa-server Goto Github PK

The introspect API does not know about revoked tokens. If a revoked token is introspected, it would return the decoded token successfully. If this is to be changed:

• revoke token API needs to update a column/table in the DB
  • need to store for each server? This complicates things
• introspect API needs to check the table after decode
  • again, if stored for each server, will need to check aud field + userId

Hi Team,

Thanks for your continuous support.

Below i am sharing my understanding towards how an IUDX provider can set access policy for consumer

1. There could two type(Secure/Open) of Resource group be uploaded on IUDX Catalogue Server.
2. To Access Opened Resource Group's data , Access policy don't need to be set by IUDX Provider for Consumer.
3. But to Access Secured Reosurce Group's data, Access policy must be set by IUDX Provider for Counsumer
4. A provider can set access policy for consumer either by calling Create Policy API or by Using UI as explained HERE.

Below are my further query-

1. First of all please let me know if my understanding mentioned above is incorrect at any point?
2. How an IUDX Consumer can request to get Access for data of the Secured Resource Group. I mean how IUDX Provider will know about Consumer who is interested to access Secured Resource Group data?

Thanks & Regard's
Deepak Kumar

• Add validations + testing present in the ApdWebClient for TokenRevokeService

• Update the services to make use of ComposeException

The OIDC auth'n handler is failing correctly for certain scenarios, but there are some unhandled exceptions being thrown due to the promise, future compose code
e.g. when an expired token is sent:

• Get integration test report even if ZAP fails
  • Like this - https://github.com/MohammedAman23/iudx-aaa-server-1/blob/6b7d014e68906365a496a209411acc54941f54d1/Jenkinsfile#L86-L89
• Store integration tests log file for debugging purposes if Int test/ZAP fails

Hi Team,

I have done with setup IUDX(3.5.0) AUTH, Catalogue, Resoource Server on my local.

Now i need to create Organization, Create/update provider by using Auth server's admin APIs.
To call These API's i need Iudx Admin's access token from keycloak.

SO what all the step i have to follow on keycloak or auth server to configure IUDX Admin user.
Can you please help me for same.

Thanks
Deepak Kumar

This request should not be allowed:

{
    "request": [
                {
            "userId": "7803fa79-a934-4c58-b627-d9372f1df5a7",
            "status": "rejected"
        },
        {
            "userId": "7803fa79-a934-4c58-b627-d9372f1df5a7",
            "status": "approved"
        }
    ]
}

But is being allowed. Use the same methods that policy.createPolicy is using to handle this

Hi Team

I have setup keycloak(14.0.1) instance on my local running on http://{ip}:8080 by following https://github.com/datakaveri/iudx-deployment/tree/master/Docker-Swarm-deployment/single-node/keycloak.

Further after keycloak setup i have provided required info in config.json file for auth server as below by following https://github.com/datakaveri/iudx-aaa-server/blob/main/configs/config-example.json-
"keycloakOptions":{
"keycloakHost": "{ip}",
"keycloakPort": 8080,
"keycloakRealm": "{realm-created}",
"keycloakSite": "http://{ip}:8080/auth/realms/{realmname}",
"keycloakUrl": "http://{ip}:8080/auth",
"keycloakTokenUri": "/auth/realms/{realmname}/protocol/openid-connect/token",
"keycloakAdminClientId": "adminclient",
"keycloakAdminClientSecret": "{secret}",
"keycloakAdminPoolSize": "10",
"keycloakAaaClientId": "normalclient",
"keycloakAaaClientSecret": "{secret}",
"keycloakJwtLeeway": 90
}

but i am getting error as below while starting My Auth server -
Not Found: {"error":"RESTEASY003210: Could not find resource for full path: http://{ip}:8080/auth/realms/{realmname}/.well-known/openid-configuration"}"

can you please help me here for same.

Thanks
Deepak Kumar

• Needs to return a copy of list or immutable list
• TODO: Check all invocations of getRoles() to see if resulting list is being modified
• https://dzone.com/articles/java-getter-and-setter-basics-common-mistakes-and

• Not really sure what is happening here
  
• Same request ID is being referred to in multiple rows
  

Found by @aakashsr

• When a notification request is approved and there exists a policy for the user+resource, a 409 Conflict is generated
• However, the notification request is being set to approved state
• Unsure if a policy is being created
• No entry is made to the approved_access_requests table

Ideally,

• A consumer must be prevented from creating a new notification request if there exists a valid policy for the requested resource - this does not seem to be happening now
  • or is this desired behaviour?
• When the 409 condition is met, the request must either:
  • remain in pending
  • become rejected

If the consumer fix is done, then most likely the 409 condition may never be met

Hi Team,

I am trying to setup IUDX Auth server on my local by following readme doc from tag v3.5.0.

After installing keycloak while following step1 from section Keycloak Setup to configure normal client, Then i am unable to understand what actually i need perform there.

Can i have more descriptive doc to setup keycloak.

Thanks

• Pass the data passed into the update notif method
• This lead to the issue faced in #182
  • Had called update notification with auth delegate credential
  • The policy creation failed (not allowed to create policy) because the delegate info was not passed

• Did not make a new branch because it will cause CI pipeline to fail
• Diff of the change - integration tests passed

diff --git a/pom.xml b/pom.xml
index a862595..67fa5cf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -26,7 +26,7 @@
 		<maven-checkstyle-plugin-google.version>3.1.2</maven-checkstyle-plugin-google.version>
 		<maven-surefire-report-plugin.version>3.0.0-M5</maven-surefire-report-plugin.version>
 		<openjdk.version>11</openjdk.version>
-		<keycloak.version>15.0.2</keycloak.version>
+		<keycloak.version>18.0.2</keycloak.version>
 		<resteasy.version>3.13.2.Final</resteasy.version>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<exec.mainClass>iudx.aaa.server.deploy.Deployer</exec.mainClass>

only the users with roles of Admin, provider, or delegate are allowed to delete policies.
'Trustee' role is not allowed to delete policies they may set for providers.