[keycloak-user] Authorization with service account
Pedro Igor Silva
psilva at redhat.com
Mon Oct 16 12:02:16 EDT 2017
Glad it worked. FYI, you don't actually need the *else* clause because the
engine will always deny if the policy did not call either grant or deny.
On Thu, Oct 12, 2017 at 9:32 AM, Jean-François HEROUARD <
jfherouard.almerys at gmail.com> wrote:
> I answer myslef, a js policy script to allow a service account :
>
> var context = $evaluation.getContext();
> var identity = context.getIdentity();
> var attributes = identity.getAttributes();
> var username = attributes.getValue('preferred_username').asString(0);
> var clientId = attributes.getValue('clientId').asString(0);
>
> if (username === 'service-account-' + clientId) {
> $evaluation.grant();
> } else {
> $evaluation.deny();
> }
>
> 2017-10-12 10:40 GMT+02:00 Jean-François HEROUARD <
> jfherouard.almerys at gmail.com>:
>
> > Hi,
> >
> > In a client, I have service account and authorization enabled. When
> > service account fetches all resources, authorizations applied. I would
> like
> > a specific user policy rule for this user but "service-account-(client
> > name)" is not suggested nor accepted by the user policy provider.
> > Is there another way to do that ? In js but what is the uuid of a service
> > user ? Is that a functionnal bug ?
> >
> > Thanks.
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list