[keycloak-user] PolicyEnforcer always requires all defined scopes as 'required'

alexander.sahler at brodos.de alexander.sahler at brodos.de
Wed Oct 4 11:10:14 EDT 2017 

Hi.

I try to get warm with keycloak. So I created a test project that uses
KeycloakOIDCFilter to secure a servlet requset (a vaadin UI).
Basically it's working. Now I want to add some portions of the UI only
visible to users granted permission to a certain scope.

So I set up:
* client (named test‑context) is configured for authorization
* A resource (admin‑ui) with associated scopes
urn:test‑project:article:view and urn:test‑project:article:create.
* two realm roles: admin and user
* two users (test, admin), one of them (test) having role user, the
other (admin) having both admin and user roles
* auth settings: policy enforcement mode: enforcing (also added
"policy‑enforcer": {} in keycloak.json)
* Two policies:
  ‑ Admin policy: type role, roles: admin (required)
  ‑ User policy: type role, roles: user
* Two scope permissions bound to the resource admin‑ui. 
  ‑ Article Create Permission: resource: admin‑ui, scopes:
urn:test‑project:article:create, policy: Admin policy, unanimous
  ‑ Admin UI View Permission: resource: admin‑ui, scopes:
urn:test‑project:article:view, policy User policy, unanimous
* A resource permission granting access to the resource itself using
Default Permission (js, grant all)

Admin user is working fine and testing for scope membership using
authzClient is working fine as well. 

However, when I try to access the page with user 'test', the user is
denied access due to AbstractPolicyEnforcer. In method authorize() it
always passes the requiredScopes variable to isAuthorized(...). This
variable is ALWAYS filled with all scopes assiciated for the resource.
These are taken from the pathConfig, which always yields both associated
scopes.

Of course, user 'test' has only granted permission to scope
urn:test‑project:article:view following the authorization set up,
thus failing the grant although the evaluator is returning PERMIT with
scopes (urn:testproject:article:view) as expected:

{
  "jti": "8d805d7e‑f2bf‑485c‑ad9e‑9ca397903f6c",
  "exp": 1507127243,
  "nbf": 0,
  "iat": 1507126943,
  "aud": "test‑context",
  "sub": "dccb9a67‑5a45‑4c15‑bcee‑3c1db26c16f0",
  "typ": "Bearer",
  "azp": "test‑context",
  "auth_time": 0,
  "session_state": "6623b31b‑9c5c‑4e87‑a882‑21ab8d72c2a8",
  "acr": "1",
  "allowed‑origins": [
    "http://"
  ],
  "realm_access": {
    "roles": [
   "uma_authorization",
   "user"
    ]
  },
  "resource_access": {},
  "authorization": {
    "permissions": [
   {
	 "scopes": [
    "urn:testproject:article:view"
	 ],
	 "resource_set_id": "a9d034f3‑0ea4‑4c96‑b314‑6ce544bf01b8",
	 "resource_set_name": "Admin UI"
   }
    ]
  },
  "name": "Test Tester",
  "preferred_username": "test",
  "given_name": "Test",
  "family_name": "Tester",
  "email": "test at bla.de"
}
I'm using keycloak 3.2.1.FINAL on karaf 4.1.2.

Please help!

More information about the keycloak-user mailing list