Authorization Services: requesting RPT audit events?

Hi!

We are interested in using Keycloak for both SSO and as an authorization server, but one key feature we are looking for is audit events, specially for “failed” authentication/authorization requests and detect resource abuse/misuse attempts.

There are LOGIN and LOGIN_ERROR events available to audit successful/failed authentication attempts, so a access_token request like this one

curl --location --request POST 'http://mykeycloak.server:9080/auth/realms/myrealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=my-client-id' \
--data-urlencode 'client_secret=the-client-secret' \
--data-urlencode 'username=myusername' \
--data-urlencode 'password=mypassword' \
--data-urlencode 'scope=openid'

where all parameters are correct, would generate a LOGIN event that can be seen in the admin interface, and a request like this other one:

curl --location --request POST 'http://mykeycloak.server:9080/auth/realms/myrealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=my-client-id' \
--data-urlencode 'client_secret=wrong-client-secret' \
--data-urlencode 'username=or-wrong-username' \
--data-urlencode 'password=or-wrong-password' \
--data-urlencode 'scope=openid'

where one or more parameters are incorrect, would generate a LOGIN_ERROR event visible in the admin interface.

That covers the authentication part very well, however, what about RPT requests (the authorization part)? Which are the events that audit successful/failed requests for RPTs such as the next one:

curl --location --request POST 'http://mykeycloak.server:9080/auth/realms/myrealm/protocol/openid-connect/token' \
--header 'Authorization: Bearer somevalidaccess_token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'audience=my-audience' \
--data-urlencode 'permission=myResource#my-scope'

where a RPT is requested using a previously generated access_token.

Enabling ALL the events in the admin interface does not cause audit events to be logged for neither successful or failed requests of this type.

This screenshot shows ALL the available audit events being “enabled”

But as said before, for RPT requests, no events are generated whatsoever.

Is there any other way to get those events logged? The failed ones are of particular importance as we could detect attempts to access privileged resources by unprivileged users.

Any help would be greatly appreciated.

1 Like

Have you ever found an answer to this question? Thanks

Hi!

Actually I collaborated to get them implemented as part of Keycloak’s codebase.

Here’s the respective JIRA issue

https://issues.redhat.com/browse/KEYCLOAK-16536

It was officially released with Keycloak 13.

You can now look for PERMISSION_TOKEN and PERMISSION_TOKEN_ERROR events on Keycloak and they will generate records of both successful and failed RTP verifications. As the JIRA issue mentions, the events already existed. The problem was that they were never being triggered.

You can see them highlighted below

Hope they are useful.

Kind Regards
Juan