[keycloak-user] Policy Evaluation for Service Account shows unexpected behavior

Pedro Igor Silva psilva at redhat.com
Wed Nov 7 17:55:29 EST 2018


Hi,

It should be a bug. I've created
https://issues.jboss.org/browse/KEYCLOAK-8768.

I need to check if we are properly working with sessions when identity is a
service account. Could you add a comment to that JIRA with an example of an
authorization request to the token endpoint ?

Thanks.

On Wed, Nov 7, 2018 at 8:29 PM Lamina, Marco <marco.lamina at sap.com> wrote:

> Hi,
> I am using the Protection API to create resources in Keycloak. Some of
> those resources are created by service accounts, some by regular users. I
> also have a JS policy that grants access to a resource if the given
> identity is the resource owner (it was an example from the documentation):
>
> var context = $evaluation.getContext();
> var identity = context.getIdentity();
> var permission = $evaluation.getPermission();
> if (permission.resource !== null && permission.resource.owner ==
> identity.id) {
>         $evaluation.grant();
>     }
>
> The problem is that the policy fails to execute. Using the evaluation tool
> in the admin console, it produces the following stack trace:
> https://pastebin.com/2XXHQkNf .
> The policy works fine for regular users. In addition to that, trying to
> list the account’s permissions using the token endpoint (as described in
> [1]) fails with a 403.
> Am I missing something or is that a bug in Keycloak?
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
>
> Thanks,
> Marco
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list