User in Realm-1 can list users in Realm-2 via API. How to restrict?

Tagged: 

This topic contains 5 replies, has 3 voices, and was last updated by  mike.kimber@verint.com 2 weeks, 4 days ago.

  • Author
    Posts
  • #11419
     Firos 
    Participant

    User-1 in Realm-1 can list users in Realm-2 using User-1’s token via API.
    How to restrict?

    #11482
     Peter Major 
    Moderator

    Please provide curl examples for this. Most likely you are just calling the wrong realm’s endpoint.

    #11490
     Firos 
    Participant

    Peter,

    1. Authenticate as a user in Realm-1 (userName: tester1)
    API: http://fr.test.loc/sso/json/realm1/authenticate
    Response: Received token String

    2. Executed API to list users in Realm-2, using previous token (Realm-1 user’s token)
    API: http://fr.test.loc/sso/json/realm2/users?_queryId=*&_fields=uid,cn,sn,givenName
    Response: It lists all users in realm2 using realm1-user’s token

    3. Both realm DNs are different and both comes under master realm in same level.

    Same way i can access realm1’s users using realm2 user token.
    This is the scenario i tried, whats the issue with it?

    • This reply was modified 2 years, 1 month ago by  Firos.
    #11544
     Firos 
    Participant

    What’s the issue with it?

    #11576
     Peter Major 
    Moderator

    Looks like absolutely nothing. It appears you ran into a bug.

    #22455
     mike.kimber@verint.com 
    Participant

    We have encountered this issue. Was a bug raised for this?

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?