[keycloak-user] Advanced authorization

Melissa Palmer melissa.palmer at gmail.com
Fri Oct 26 02:21:26 EDT 2018 

Thanks Pedro

I had figured that out before your email and tried it, unfortunately I am
always getting a null for the resource, any pointers on that one?
- I don't know how to debug this, any pointers

[image: image.png]

*CODE in JS PREMISSION*
var permission = $evaluation.getPermission();
var resource = permission.getResource();
var attributes = resource.getAttributes();

var anotherStatus = attributes.getValue('status');

if (anotherStatus.equals('APPROVED')) {
    $evaluation.grant();
}


*ERROR*
Caused by: java.lang.RuntimeException: Error evaluating JS Policy [Album
Resource status.APPROVED].
        at
org.keycloak.authorization.policy.provider.js.JSPolicyProvider.evaluate(JSPolicyProvider.java:56)
        at
org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.lambda$evaluate$1(AbstractPermissionProvider.java:51)
        at java.lang.Iterable.forEach(Iterable.java:75)
        at
java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080)
        at
org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.evaluate(AbstractPermissionProvider.java:43)
        at
org.keycloak.authorization.policy.provider.permission.ScopePolicyProvider.evaluate(ScopePolicyProvider.java:52)
        at
org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.lambda$createPolicyEvaluator$0(DefaultPolicyEvaluator.java:107)
        at
org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.cacheQuery(StoreFactoryCacheSession.java:939)
        at
org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.findByResource(StoreFactoryCacheSession.java:863)
        at
org.keycloak.authorization.AuthorizationProvider$3.findByResource(AuthorizationProvider.java:390)
        at
org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.evaluate(DefaultPolicyEvaluator.java:75)
        at
org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:59)
        ... 75 more
Caused by: java.lang.RuntimeException: javax.script.ScriptException:
TypeError: null is not a function in <eval> at line number 5
        at
org.keycloak.scripting.CompiledEvaluatableScriptAdapter.eval(CompiledEvaluatableScriptAdapter.java:47)
        at
org.keycloak.authorization.policy.provider.js.JSPolicyProvider.evaluate(JSPolicyProvider.java:53)
        ... 86 more
Caused by: javax.script.ScriptException: TypeError: null is not a function
in <eval> at line number 5
        at
jdk.nashorn.api.scripting.NashornScriptEngine.throwAsScriptException(NashornScriptEngine.java:467)
        at
jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:423)
        at
jdk.nashorn.api.scripting.NashornScriptEngine.access$300(NashornScriptEngine.java:73)
        at
jdk.nashorn.api.scripting.NashornScriptEngine$3.eval(NashornScriptEngine.java:511)
        at
org.keycloak.scripting.CompiledEvaluatableScriptAdapter.eval(CompiledEvaluatableScriptAdapter.java:45)
        ... 87 more
Caused by: <eval>:5 TypeError: null is not a function
        at jdk.nashorn.internal.runtime.ECMAErrors.error(ECMAErrors.java:57)
        at
jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:213)
        at
jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:185)
        at
jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:172)
        at
jdk.nashorn.internal.runtime.linker.NashornBottomLinker.linkNull(NashornBottomLinker.java:177)
        at
jdk.nashorn.internal.runtime.linker.NashornBottomLinker.getGuardedInvocation(NashornBottomLinker.java:66)
        at
jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124)
        at
jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:154)
        at
jdk.internal.dynalink.DynamicLinker.relink(DynamicLinker.java:253)
        at jdk.nashorn.internal.scripts.Script$\^eval\_.:program(<eval>:5)
        at
jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:637)
        at
jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:494)
        at
jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:393)
        at
jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:418)
        ... 90 more

On Thu, 25 Oct 2018 at 21:12, Pedro Igor Silva <psilva at redhat.com> wrote:

> You can check both the Evaluation API[1] and JS Policy[2] documentation.
> I'll update docs with some examples of fetching resources/scopes and
> attributes from JS policies, meanwhile here it is:
>
> var permission = $evaluation.getPermission();
> var resource = permission.getResource();
> var attributes = resource.getAttributes();
>
> For more information about methods that you can use to fetch attributes,
> check
> https://github.com/keycloak/keycloak/blob/b4b3527df7656bfaaee351ec414e56c683c134c2/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java#L157
> .
>
> Regards.
> Pedro Igor
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_evaluation_api
> [2]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>
> On Thu, Oct 25, 2018 at 2:54 PM Melissa Palmer <melissa.palmer at gmail.com>
> wrote:
>
>>
>> Hi Pedro,
>>
>> How do I get get at the resource (and its attributes) via the JS policy?
>> I have tried .. but not working.
>> var resource = context.getResource();
>> var resource = $evaluation.getResource();
>>
>> Thanks
>> Melissa
>>
>>
>>
>> On Wed, 24 Oct 2018 at 15:56, Melissa Palmer <melissa.palmer at gmail.com>
>> wrote:
>>
>>> Ok thank you, yes I have seen the Rest API
>>> hadn’t really thought I needed to use the api for this. What you
>>> thinking
>>>
>>> On 24 Oct 2018, at 3:14 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
>>>
>>> Yeah, I think so. I need to document this ... But we also expose
>>> endpoints in Admin REST API which you could use to manage these
>>> permissions/policies from your app.
>>>
>>> On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer <
>>> melissa.palmer at gmail.com> wrote:
>>>
>>>> Thanks Pedro, I will take a closer look.
>>>> Yes I’ll put the work flow in the app. But we do want to manage the
>>>> permissions in KEy,
>>>>
>>>> I tried to align with the QuickStart ti explain. But it’s not
>>>> necessarily on resource that I own with I want to do this. For example it
>>>> could be against adding products in and ecommerce app, or transactions for
>>>> a company
>>>>
>>>> It sounds like I should rather use the non
>>>> UMA example to try this against. Would that be better?
>>>>
>>>> Thanks
>>>> Melissa
>>>>
>>>>
>>>> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
>>>>
>>>> Hi Melissa,
>>>>
>>>> I don't think this is very different than what we have in the
>>>> quickstart you mentioned.
>>>>
>>>> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer <
>>>> melissa.palmer at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am trying to do something similar to the following:
>>>>> - have a resource (say album) in app-authz-uma-photoz quickstart that
>>>>> includes a status attribute against it.
>>>>> - status such as: CREATED, APPROVED, DECLINED,
>>>>>
>>>>
>>>> You probably noticed that resources in Keycloak have attributes, so you
>>>> could set a "status" accordingly. You should be able to write JS policies
>>>> that can access any attribute associated with a resource.
>>>>
>>>>
>>>>> - a person can then be given a role that allows for permissions (via a
>>>>> role) such as
>>>>>
>>>>>    - album:create
>>>>>    - album:approve
>>>>>    - album:decline
>>>>>
>>>>
>>>> If you have different authorization requirements for each scope, you
>>>> can create a scope-based permission for each scope. Otherwise, a single
>>>> scope-permission managing access for all of them.
>>>>
>>>>
>>>>>
>>>>> - BUT a person is not allowed to approve any albums they created
>>>>> themselves
>>>>>
>>>>
>>>> I would create a scope-permission specific for album:approve and
>>>> associate it with a JS policy that deny access to the the resource owner
>>>> (considering the owner is the person that created the resource).
>>>>
>>>>
>>>>>
>>>>> Is there a keycloak-quickstarts/example I can start from?
>>>>> Or a recommended way I should attempt to tackle this?
>>>>>
>>>>
>>>> It is worthy to highlight that when using UMA and, specially, the "My
>>>> Resources" page in the Account Service, resource owners are always allowed
>>>> to manage their resources. It seems you are more interested in a worflow
>>>> that does not really fit this functionality in particular. I think you
>>>> would need to manage this workflow from your app based on the permissions
>>>> you have in Keycloak.
>>>>
>>>>
>>>>>
>>>>> Thank You in advance,
>>>>> Melissa
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 52669 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181026/ab364010/attachment-0001.png

More information about the keycloak-user mailing list