[keycloak-user] Failed to evaluate permissions with javascript

Pedro Igor Silva psilva at redhat.com
Wed Jul 4 10:13:20 EDT 2018 

Sorry, should *not* get a null reference ...

On Wed, Jul 4, 2018 at 11:12 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Yeah it is fine, and if you ask permissions for MySensorsXXX (considering
> resource exists) you should get a null reference in your JS policy.
>
> On Wed, Jul 4, 2018 at 11:07 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Yes I want to have permissions for each resource associated with that
>> scope.
>> Basically, I have:
>>
>> Resource:
>> -------------
>> name: MySensorsXXX
>> scope: [sensors:update, sensors:delete]
>>
>> Policy:
>> ---------
>> name: Resource owner
>> type: javascript
>>
>> Permission:
>> --------------
>> name: Delete Sensor
>> type: scope-based
>> Scopes: [sensors:delete]
>> Apply Policy: Resource owner
>>
>> Based on this setting, I want to ask Keycloak if I can delete a
>> particular sensor, named MySensorsXXX.
>> Keycloak should approve only if I'm owner.
>> Is it the correct way to do it?
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Jul 4, 2018 at 3:28 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Could you deny if requested permission is not for a resource ? Or do you
>>> want to have permissions for each resource associated with that scope ?
>>>
>>> On Wed, Jul 4, 2018 at 10:16 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> So how to retrieve the resource associated with this request?
>>>>
>>>> For instance I want to delete a sensor named MySensorsXXX:
>>>>
>>>> curl -X POST http://localhost:8080/auth/rea
>>>> lms/waziup/protocol/openid-connect/token -H "Authorization: Bearer
>>>> $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>>> uth:grant-type:uma-ticket&audience=api-server&permission=MyS
>>>> ensorsXXX#sensors:delete"
>>>>
>>>> I have a scope-based policy, where I check if you are owner.
>>>>
>>>>
>>>>
>>>> On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> This is because the permission is not for the resource (it does not
>>>>> exist) but for scopes. So resource is null.
>>>>>
>>>>> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Hi again,
>>>>>> I use a small javascript policy:
>>>>>>
>>>>>> var context = $evaluation.getContext();
>>>>>> var permission = $evaluation.getPermission();
>>>>>> var identity = context.getIdentity();
>>>>>> if (identity.id == permission.getResource().getOwner()) {
>>>>>>     $evaluation.grant();
>>>>>> }
>>>>>>
>>>>>>
>>>>>> But this gets me an error:
>>>>>>
>>>>>> Unexpected error while evaluating permissions:
>>>>>> java.lang.RuntimeException:
>>>>>> Failed to evaluate permissions
>>>>>>    at
>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>>>>>    at
>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>>>>>    at
>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>>>>>    at
>>>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>>>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>>>>>> ...
>>>>>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
>>>>>> execute script 'Resource owner' problem was: TypeError: null has no
>>>>>> such
>>>>>> function "getOwner" in <eval> at line number 4
>>>>>>     at
>>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>>> Unchecked(AbstractEvaluatableScriptAdapter.java:64)
>>>>>>     at
>>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>>> (AbstractEvaluatableScriptAdapter.java:30)
>>>>>>
>>>>>>
>>>>>> I noticed this happens only with scope-based policies, so maybe it's
>>>>>> the
>>>>>> same problem than before?
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the keycloak-user mailing list