[keycloak-user] Failed to evaluate permissions with javascript

Pedro Igor Silva psilva at redhat.com
Wed Jul 4 10:12:40 EDT 2018


Yeah it is fine, and if you ask permissions for MySensorsXXX (considering
resource exists) you should get a null reference in your JS policy.

On Wed, Jul 4, 2018 at 11:07 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Yes I want to have permissions for each resource associated with that
> scope.
> Basically, I have:
>
> Resource:
> -------------
> name: MySensorsXXX
> scope: [sensors:update, sensors:delete]
>
> Policy:
> ---------
> name: Resource owner
> type: javascript
>
> Permission:
> --------------
> name: Delete Sensor
> type: scope-based
> Scopes: [sensors:delete]
> Apply Policy: Resource owner
>
> Based on this setting, I want to ask Keycloak if I can delete a particular
> sensor, named MySensorsXXX.
> Keycloak should approve only if I'm owner.
> Is it the correct way to do it?
>
>
>
>
>
>
>
>
> On Wed, Jul 4, 2018 at 3:28 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Could you deny if requested permission is not for a resource ? Or do you
>> want to have permissions for each resource associated with that scope ?
>>
>> On Wed, Jul 4, 2018 at 10:16 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> So how to retrieve the resource associated with this request?
>>>
>>> For instance I want to delete a sensor named MySensorsXXX:
>>>
>>> curl -X POST http://localhost:8080/auth/rea
>>> lms/waziup/protocol/openid-connect/token -H "Authorization: Bearer
>>> $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>> uth:grant-type:uma-ticket&audience=api-server&permission=MyS
>>> ensorsXXX#sensors:delete"
>>>
>>> I have a scope-based policy, where I check if you are owner.
>>>
>>>
>>>
>>> On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> This is because the permission is not for the resource (it does not
>>>> exist) but for scopes. So resource is null.
>>>>
>>>> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi again,
>>>>> I use a small javascript policy:
>>>>>
>>>>> var context = $evaluation.getContext();
>>>>> var permission = $evaluation.getPermission();
>>>>> var identity = context.getIdentity();
>>>>> if (identity.id == permission.getResource().getOwner()) {
>>>>>     $evaluation.grant();
>>>>> }
>>>>>
>>>>>
>>>>> But this gets me an error:
>>>>>
>>>>> Unexpected error while evaluating permissions:
>>>>> java.lang.RuntimeException:
>>>>> Failed to evaluate permissions
>>>>>    at
>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>>>>    at
>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>>>>    at
>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>>>>    at
>>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>>>>> ...
>>>>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
>>>>> execute script 'Resource owner' problem was: TypeError: null has no
>>>>> such
>>>>> function "getOwner" in <eval> at line number 4
>>>>>     at
>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>> Unchecked(AbstractEvaluatableScriptAdapter.java:64)
>>>>>     at
>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>> (AbstractEvaluatableScriptAdapter.java:30)
>>>>>
>>>>>
>>>>> I noticed this happens only with scope-based policies, so maybe it's
>>>>> the
>>>>> same problem than before?
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>


More information about the keycloak-user mailing list