[keycloak-user] authz-rest-employee quickstart: fails to query Protection API for employee resource (/api/alice doesn't match /api/{employee}/*)
Milan Simonovic
amavisto at gmail.com
Wed Oct 17 06:08:43 EDT 2018
allright, found a solution.
matchingUri from the source code: https://github.com/keycloak/keycloak/blob/f99299ee3956d138c001769b0fe4bcfcc90a219f/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java#L348 <https://github.com/keycloak/keycloak/blob/f99299ee3956d138c001769b0fe4bcfcc90a219f/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java#L348> looks like a flag that should trigger extra search if no resource is found, calling PathMatcher on each client resource. PathMatcher, https://github.com/keycloak/keycloak/blob/b478472b3578b8980d7b5f1642e91e75d1e78d16/common/src/main/java/org/keycloak/common/util/PathMatcher.java#L29 <https://github.com/keycloak/keycloak/blob/b478472b3578b8980d7b5f1642e91e75d1e78d16/common/src/main/java/org/keycloak/common/util/PathMatcher.java#L29>, seems capable of matching /api/alice to /api/{employee}/*, this test passes:
@Test
public void matches() throws Exception {
PathMatcher<Map.Entry<String, String>> pathMatcher = new PathMatcher<Map.Entry<String, String>>() {
@Override
protected String getPath(Map.Entry<String, String> entry) {
return entry.getKey();
}
@Override
protected Collection<Map.Entry<String, String>> getPaths() {
Map<String, String> result = new HashMap<>();
result.put("/api/{employee}/*", "employee resource");
return result.entrySet();
}
};
Map.Entry<String, String> matches = pathMatcher.matches("/api/alice");
assertNotNull(matches);
assertEquals("employee resource", matches.getValue());
}
so the matchingUri param should be set to true and then the resource is found:
curl -H “Authorization: Bearer $access_token” \
“$SRV/authz/protection/resource_set?matchingUri=true&uri=%2Fapi%2Falice”
[“deed8ae3-41a9-4781-b6c7-cb297516c2c6”]
regards,
Milan
More information about the keycloak-user
mailing list