[keycloak-user] ABAC policy, attributes not avialable

Nicolas Gillet nicolas.gillet at market-ip.com
Tue Jul 17 10:08:56 EDT 2018 

Hello

I am trying to write a javascript Attribute Based Access Control (ABAC) policy.
I want to control the access to group resource using the authenticated user's attributes and the attributes configured on the group.
So I configured the policy via Groups > myGroup > permissions > view-members and select my javascript policy.

Problem: in the script, neither my identity nor my group attributes are available.
Here is my script:

var context = $evaluation.getContext();
var resourcePermission = $evaluation.getPermission();
var identity = context.getIdentity();
var idAttributes = identity.getAttributes();
var ctxAttributes = context.getAttributes();
var resource = resourcePermission.getResource();

print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_PROP'));
print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('CUSTOM_PROP'));
print('resource.getAttributes: ' + resource.getAttributes);

$evaluation.grant();

When I use the API end point as follow :
http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
It triggers the script and prints the following in wildfly console :

ESC[0mESC[0m15:36:13,000 INFO  [stdout] (default task-3) idAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3) ctxAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3) resource.getAttributes: undefined

So my custom attribute is null. And worse, the resource does not even seems to have a getAttributes() method at all ?!
I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined with value "test" and my group has attributes as well.

The documentation says the resource I retrieve that way should be an instance of org.keycloak.authorization.model.Resource
which, according to the javadoc, must define a getAttributes() methods. However it's ... undefined ?!

The keycloak version I use is 4.0.0.

Can anyone help me find what's wrong with my script ?

Many thanks,


Nicolas GILLET

More information about the keycloak-user mailing list