Reading of "permissions" claim of access token #82

Pijako · 2022-09-21T14:57:14Z

Pijako
Sep 21, 2022

Hello,
Thank you very much for the development of this library that is great tool for authentication management.
I'm facing an http 403 error when I'm trying to use it with "Authorization Code flow", and I have some questions.

The access token I get from my Keycloak contains "scope", "roles" and "sub" claims but not "permissions" claim that the BaseFief object is trying to read at this part of the code : ( fief_client/client.py )

decoded_token = jwt.JWT(jwt=access_token, algs=["RS256"], key=jwks)
            claims = json.loads(decoded_token.claims)
            access_token_scope = claims["scope"].split()
            if required_scope is not None:
                for scope in required_scope:
                    if scope not in access_token_scope:
                        raise FiefAccessTokenMissingScope()
            permissions: List[str] = claims["permissions"] <- Here
            if required_permissions is not None:
                for required_permission in required_permissions:
                    if required_permission not in permissions:
                        raise FiefAccessTokenMissingPermission()

This creates a KeyError and then raises a FiefAccessTokenInvalid exception and then an http 403 error.
However, this access token seems to be valid with all the fields/values expected.

Am I using the library right ? Do I misunderstand something about roles / permissions ? I thought at this part of the code, after having checked the scope, the library would check the roles so I'm wondering if permissions checking is the same.

Thank you very much in advance for your help,

Thibault

Answered by frankie567

Sep 21, 2022

Hello @Pijako, welcome to Fief 👋

The access token I get from my Keycloak

The Fief Python client is designed to work with Fief, not Keycloak 🙃 In a way, we are a "competitor" to Keycloak; and we may not structure our access token the same way as them.

In Fief, we define the permissions claim to list the permissions a user has access to. When you assign a role, the user is granted the associated list of permissions; so it makes sense to check for actual permissions rather than a role. Ref: https://docs.fief.dev/getting-started/access-control/

View full answer

frankie567 · 2022-09-21T15:34:28Z

frankie567
Sep 21, 2022
Maintainer

Hello @Pijako, welcome to Fief 👋

The access token I get from my Keycloak

The Fief Python client is designed to work with Fief, not Keycloak 🙃 In a way, we are a "competitor" to Keycloak; and we may not structure our access token the same way as them.

In Fief, we define the permissions claim to list the permissions a user has access to. When you assign a role, the user is granted the associated list of permissions; so it makes sense to check for actual permissions rather than a role. Ref: https://docs.fief.dev/getting-started/access-control/

1 reply

Pijako Sep 21, 2022
Author

Thank you very much for your answer @frankie567 , it's very clear now ;)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fief

Reading of "permissions" claim of access token #82

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Fief

Reading of "permissions" claim of access token #82

Pijako Sep 21, 2022

Replies: 1 comment · 1 reply

frankie567 Sep 21, 2022 Maintainer

Pijako Sep 21, 2022 Author

Pijako
Sep 21, 2022

Replies: 1 comment 1 reply

frankie567
Sep 21, 2022
Maintainer

Pijako Sep 21, 2022
Author