Skip to content

Check resource server when managing their resources #46405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ahus1 merged 1 commit into from
Mar 2, 2026
Merged

Check resource server when managing their resources #46405

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions ...ain/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -532,6 +532,9 @@ public Scope findById(ResourceServer resourceServer, String id) {
} else if (managedScopes.containsKey(id)) {
return managedScopes.get(id);
}
if (resourceServer != null && !resourceServer.getId().equals(cached.getResourceServerId())) {
return null;
}
ScopeAdapter adapter = new ScopeAdapter(cached, StoreFactoryCacheSession.this);
managedScopes.put(id, adapter);
return adapter;
Expand Down Expand Up @@ -625,6 +628,9 @@ public Resource findById(ResourceServer resourceServer, String id) {
} else if (managedResources.containsKey(id)) {
return managedResources.get(id);
}
if (resourceServer != null && ! resourceServer.getId().equals(cached.getResourceServerId())) {
return null;
}
ResourceAdapter adapter = new ResourceAdapter(cached, StoreFactoryCacheSession.this);
managedResources.put(id, adapter);
return adapter;
Expand Down Expand Up @@ -875,6 +881,9 @@ public Policy findById(ResourceServer resourceServer, String id) {
} else if (managedPolicies.containsKey(id)) {
return managedPolicies.get(id);
}
if (resourceServer != null && !cached.getResourceServerId().equals(resourceServer.getId())) {
return null;
}
PolicyAdapter adapter = new PolicyAdapter(cached, StoreFactoryCacheSession.this);
managedPolicies.put(id, adapter);
return adapter;
Expand Down Expand Up @@ -1124,6 +1133,9 @@ public PermissionTicket findById(ResourceServer resourceServer, String id) {
} else if (managedPermissionTickets.containsKey(id)) {
return managedPermissionTickets.get(id);
}
if (resourceServer != null && !cached.getResourceServerId().equals(resourceServer.getId())) {
return null;
}
PermissionTicketAdapter adapter = new PermissionTicketAdapter(cached, StoreFactoryCacheSession.this);
managedPermissionTickets.put(id, adapter);
return adapter;
Expand Down
5 changes: 4 additions & 1 deletion model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPermissionTicketStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,10 @@ public PermissionTicket findById(ResourceServer resourceServer, String id) {
}

PermissionTicketEntity entity = entityManager.find(PermissionTicketEntity.class, id);
if (entity == null) return null;

if (entity == null || !resourceServer.getId().equals(entity.getResourceServer().getId())) {
return null;
}

return new PermissionTicketAdapter(entity, entityManager, provider.getStoreFactory());
}
Expand Down
2 changes: 1 addition & 1 deletion model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ public Policy findById(ResourceServer resourceServer, String id) {

PolicyEntity policyEntity = entityManager.find(PolicyEntity.class, id);

if (policyEntity == null) {
if (policyEntity == null || (resourceServer != null && !policyEntity.getResourceServer().getId().equals(resourceServer.getId()))) {
return null;
}

Expand Down
6 changes: 5 additions & 1 deletion model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,11 @@ public Resource findById(ResourceServer resourceServer, String id) {
}

ResourceEntity entity = entityManager.find(ResourceEntity.class, id);
if (entity == null) return null;

if (entity == null || (resourceServer != null && !resourceServer.getId().equals(entity.getResourceServer()))) {
return null;
}

return new ResourceAdapter(entity, entityManager, provider.getStoreFactory());
}

Expand Down
5 changes: 4 additions & 1 deletion model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAScopeStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,10 @@ public Scope findById(ResourceServer resourceServer, String id) {
}

ScopeEntity entity = entityManager.find(ScopeEntity.class, id);
if (entity == null) return null;

if (entity == null || !entity.getResourceServer().getId().equals(resourceServer.getId())) {
return null;
}

return new ScopeAdapter(entity, entityManager, provider.getStoreFactory());
}
Expand Down
4 changes: 4 additions & 0 deletions services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
Expand Down Expand Up @@ -64,6 +65,9 @@ public class PolicyResourceService {
private final AdminEventBuilder adminEvent;

public PolicyResourceService(Policy policy, ResourceServer resourceServer, AuthorizationProvider authorization, AdminPermissionEvaluator auth, AdminEventBuilder adminEvent) {
if (policy == null || !policy.getResourceServer().equals(resourceServer)) {
throw new NotFoundException();
}
this.policy = policy;
this.resourceServer = resourceServer;
this.authorization = authorization;
Expand Down
39 changes: 16 additions & 23 deletions services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
Expand Down Expand Up @@ -164,21 +165,25 @@ public Response update(@PathParam("resource-id") String id, ResourceRepresentati
AdminPermissionsSchema.SCHEMA.throwExceptionIfAdminPermissionClient(session, resourceServer.getId());
requireManage();
resource.setId(id);
StoreFactory storeFactory = this.authorization.getStoreFactory();
ResourceStore resourceStore = storeFactory.getResourceStore();
Resource model = resourceStore.findById(resourceServer, resource.getId());

if (model == null) {
return Response.status(Status.NOT_FOUND).build();
}

getResource(id);
toModel(resource, resourceServer, authorization);

audit(resource, OperationType.UPDATE);

return Response.noContent().build();
}

private Resource getResource(String id) {
ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
Resource model = resourceStore.findById(resourceServer, id);

if (model == null || !model.getResourceServer().equals(resourceServer)) {
throw new NotFoundException();
}

return model;
}

@Path("{resource-id}")
@DELETE
@APIResponses(value = {
Expand All @@ -188,15 +193,10 @@ public Response update(@PathParam("resource-id") String id, ResourceRepresentati
public Response delete(@PathParam("resource-id") String id) {
AdminPermissionsSchema.SCHEMA.throwExceptionIfAdminPermissionClient(session, resourceServer.getId());
requireManage();
StoreFactory storeFactory = authorization.getStoreFactory();
Resource resource = storeFactory.getResourceStore().findById(resourceServer, id);

if (resource == null) {
return Response.status(Status.NOT_FOUND).build();
}

Resource resource = getResource(id);
//to be able to access all lazy loaded fields it's needed to create representation before it's deleted
ResourceRepresentation resourceRep = toRepresentation(resource, resourceServer, authorization);
StoreFactory storeFactory = authorization.getStoreFactory();

storeFactory.getResourceStore().delete(id);

Expand All @@ -222,14 +222,7 @@ public Response findById(@PathParam("resource-id") String id) {

public Response findById(String id, Function<Resource, ? extends ResourceRepresentation> toRepresentation) {
requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
Resource model = storeFactory.getResourceStore().findById(resourceServer, id);

if (model == null) {
return Response.status(Status.NOT_FOUND).build();
}

return Response.ok(toRepresentation.apply(model)).build();
return Response.ok(toRepresentation.apply(getResource(id))).build();
}

@Path("{resource-id}/scopes")
Expand Down
27 changes: 15 additions & 12 deletions ...c/main/java/org/keycloak/authorization/protection/permission/PermissionTicketService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,13 +140,8 @@ public Response update(PermissionTicketRepresentation representation) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
}

PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
PermissionTicket ticket = ticketStore.findById(resourceServer, representation.getId());
PermissionTicket ticket = getPermissionTicket(representation.getId());

if (ticket == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
}

if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer())
throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be updated only by the owner or by the resource server", Response.Status.FORBIDDEN);

Expand All @@ -164,21 +159,29 @@ public Response delete(@PathParam("id") String id) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
}

PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
PermissionTicket ticket = ticketStore.findById(resourceServer, id);
PermissionTicket ticket = getPermissionTicket(id);

if (ticket == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
}

if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer() && !ticket.getRequester().equals(this.identity.getId()))
throw new ErrorResponseException("not_authorised", "permissions for [" + ticket.getResource() + "] can be deleted only by the owner, the requester, or the resource server", Response.Status.FORBIDDEN);

PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();

ticketStore.delete(id);

return Response.noContent().build();
}

private PermissionTicket getPermissionTicket(String id) {
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
PermissionTicket ticket = ticketStore.findById(resourceServer, id);

if (ticket == null || !ticket.getResourceServer().equals(resourceServer)) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
}

return ticket;
}

@GET
@Produces("application/json")
public Response find(@QueryParam("scopeId") String scopeId,
Expand Down
7 changes: 7 additions & 0 deletions ...ests/base/src/test/java/org/keycloak/testsuite/authz/admin/AbstractAuthorizationTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,13 @@ private RealmBuilder createTestRealm() {
.authorizationServicesEnabled(true)
.redirectUris("http://localhost/" + RESOURCE_SERVER_CLIENT_ID)
.defaultRoles("uma_protection")
.directAccessGrants())
.client(ClientBuilder.create().clientId("another-resource-server-other")
.name("another-resource-server-other")
.secret("secret")
.authorizationServicesEnabled(true)
.redirectUris("http://localhost/" + "another-resource-server-other")
.defaultRoles("uma_protection")
.directAccessGrants());
}
}
22 changes: 20 additions & 2 deletions ...n/tests/base/src/test/java/org/keycloak/testsuite/authz/admin/ResourceManagementTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,22 @@ public void testUpdateScopes() {
assertEquals(0, updated.getScopes().size());
}

@Test
public void testFindResourceById() {
ResourceRepresentation resource = createResourceWithDefaultScopes();
resource.setId(null);
resource.setName("Another Resource");
resource.setOwner((String) null);
resource.setScopes(Set.of());
ResourceRepresentation anotherResource = doCreateResource(resource, findClientResource("another-resource-server-other").authorization().resources());

try {
getClientResource().authorization().resources().resource(anotherResource.getId()).toRepresentation();
fail("Should not find resource from another resource server");
} catch (NotFoundException ignore) {
}
}

private ResourceRepresentation createResourceWithDefaultScopes() {
ResourceRepresentation resource = createResource();

Expand Down Expand Up @@ -396,8 +412,10 @@ private ResourceRepresentation createResource(String name, String owner, String
}

protected ResourceRepresentation doCreateResource(ResourceRepresentation newResource) {
ResourcesResource resources = getClientResource().authorization().resources();
return doCreateResource(newResource, getClientResource().authorization().resources());
}

private ResourceRepresentation doCreateResource(ResourceRepresentation newResource, ResourcesResource resources) {
try (Response response = resources.create(newResource)) {

int status = response.getStatus();
Expand Down Expand Up @@ -425,4 +443,4 @@ protected void doRemoveResource(ResourceRepresentation resource) {
ResourcesResource resources = getClientResource().authorization().resources();
resources.resource(resource.getId()).remove();
}
}
}
Loading