jmix icon indicating copy to clipboard operation
jmix copied to clipboard
verified publisher icon jmix-framework

REST security does not work when project contains configured OIDC with KeyCloak

Open Flaurite opened this issue 3 years ago • 0 comments

Description

Project is integrated with KeyCloak using OIDC add-on. The configuration follows the README from that add-on: https://github.com/jmix-framework/jmix/tree/master/jmix-oidc#protecting-api.

Users (excluding admin, because admin contains system-full-access) do not have "REST minimal role" so they do not have permissions to use REST API. But they can. It seems somehow depends on jmix-security-oauth2-starter.

Steps to reproduce

  1. Download the project: sample-sales-jmix.zip
  2. Configure KeyCloak and project (urls, client id, client secret).
  3. Create user with role without API scope.
  4. Get access token and try to send request to some entity, e.g:
curl -v GET http://localhost:8080/rest/entities/sales_Product -H "Authorization: Bearer <access_token>"

ER You don't have permissions to access REST.

AR You get entity instances.

Flaurite avatar Aug 22 '22 15:08 Flaurite