Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-10455

Query and non-read operations not authorised for openidm-admin role with OAuth

    Details

      Description

      Get a token from an OIDC integrated deployment (following steps given in #OPENIDM_10454) using the credential of an administrator, and invoke IDM's REST (script attached):

      $ token = $(OIDC_dataStoreToken.groovy -u jdoe -w 'P@ssw0rd')

      Then, the admin user can read, but not query; in the same manner, anything else than 'read' is unauthorised. This is not the case when authenticating as the internal admin user.

      $ curl 'http://openidm.example.com:8080/openidm/managed/user/6cb583ce-6d76-4b58-b43d-4ba0428f40ee' -H 'Content-Type: application/json' -H 'X-OpenIDM-OAuth-Login: true' -H 'X-OpenIDM-DataStoreToken: <token>' -H 'Referer: http://openidm.example.com:8080/openidm'
      ==>
      {
        "_id": "6cb583ce-6d76-4b58-b43d-4ba0428f40ee",
        "_rev": "1",
        "displayName": "test.0 last.0",
        "givenName": "test.0",
        "mail": "test0@example.com",
        "sn": "last.0",
        "userName": "test.0",
        "kbaInfo": [],
        "accountStatus": "active",
        "lastChanged": {
          "date": "2017-11-02T01:25:26.796Z"
        },
        "effectiveRoles": [],
        "effectiveAssignments": []
      }

       

      $ curl 'http://openidm.example.com:8080/openidm/managed/user/?_queryId=for-userName&uid=test.0' -H 'Content-Type: application/json' -H 'X-OpenIDM-OAuth-Login: true' -H 'X-OpenIDM-DataStoreToken: <token>' 
      {
        "code": 403,
        "reason": "Forbidden",
        "message": "Access denied"
      }

       

      $ curl 'http://openidm.example.com:8080/openidm/managed/user/6cb583ce-6d76-4b58-b43d-4ba0428f40ee' -H 'Content-Type: application/json' -H 'X-OpenIDM-OAuth-Login: true' -H 'X-OpenIDM-DataStoreToken: '$token -H 'Referer: http://openidm.example.com:8080/openidm' -X PATCH -d '[{ "operation" : "replace", "field" : "/givenName", "value" : "test.0.1" }]' | jq .
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   134    0    59  100    75    502    639 --:--:-- --:--:-- --:--:--   641
      {
        "code": 403,
        "reason": "Forbidden",
        "message": "Access denied"
      }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                alin Alin Brici
                Reporter:
                patrickdiligent patrick diligent
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: