[keycloak-dev] Keycloak springboot adapter does not allowed to set keycloak.policy-enforcer-config.user-managed-access property

[LE BARO Romain]

I try to secure my application with the springboot adapter. After digging inside the source code, i have see something that seems to be a bug inside the implementation or maybe I don’t understand it correctly.

Inside the KeycloakAdapterPolicyEnforcer class, the method getPermissionTicket that retrieve permissions for a user contains this :

private String getPermissionTicket(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AuthzClient authzClient, OIDCHttpFacade httpFacade) {
    if (getEnforcerConfig().getUserManagedAccess() != null) {
        ProtectionResource protection = authzClient.protection();
        PermissionResource permission = protection.permission();
        PermissionRequest permissionRequest = new PermissionRequest();

        permissionRequest.setResourceId(pathConfig.getId());
        permissionRequest.setScopes(new HashSet<>(methodConfig.getScopes()));

        Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade);

        if (!claims.isEmpty()) {
            permissionRequest.setClaims(claims);
        }

        return permission.create(permissionRequest).getTicket();
    }

    return null;
}

getEnforcerConfig().getUserManagedAccess() != null is always null if you have not defined the keycloak.policy-enforcer-config.user-managed-access property inside the application.properties.

But i can't define it because of the PolicyEnforcerConfig class that defines the field userManagedAccess as a UserManagedAccessConfig object

@JsonProperty("user-managed-access")
@JsonInclude(JsonInclude.Include.NON_NULL)
private UserManagedAccessConfig userManagedAccess;

but not provides any jackson convertor to passe from String to UserManagedAccessConfig

Without this config property set, the adapter just reject every requests. Any workaround for this issue?