[keycloak-user] Advanced authorization
Melissa Palmer
melissa.palmer at gmail.com
Fri Oct 26 04:13:15 EDT 2018
Ok I figured out it, it needs to be:
var permission = $evaluation.getPermission();
var resource = permission.getResource();
var attributes = resource.getAttributes();
var anotherStatus = attributes.get('status');
On Fri, 26 Oct 2018 at 08:21, Melissa Palmer <melissa.palmer at gmail.com>
wrote:
> Thanks Pedro
>
> I had figured that out before your email and tried it, unfortunately I am
> always getting a null for the resource, any pointers on that one?
> - I don't know how to debug this, any pointers
>
> [image: image.png]
>
> *CODE in JS PREMISSION*
> var permission = $evaluation.getPermission();
> var resource = permission.getResource();
> var attributes = resource.getAttributes();
>
> var anotherStatus = attributes.getValue('status');
>
> if (anotherStatus.equals('APPROVED')) {
> $evaluation.grant();
> }
>
>
> *ERROR*
> Caused by: java.lang.RuntimeException: Error evaluating JS Policy [Album
> Resource status.APPROVED].
> at
> org.keycloak.authorization.policy.provider.js.JSPolicyProvider.evaluate(JSPolicyProvider.java:56)
> at
> org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.lambda$evaluate$1(AbstractPermissionProvider.java:51)
> at java.lang.Iterable.forEach(Iterable.java:75)
> at
> java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080)
> at
> org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.evaluate(AbstractPermissionProvider.java:43)
> at
> org.keycloak.authorization.policy.provider.permission.ScopePolicyProvider.evaluate(ScopePolicyProvider.java:52)
> at
> org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.lambda$createPolicyEvaluator$0(DefaultPolicyEvaluator.java:107)
> at
> org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.cacheQuery(StoreFactoryCacheSession.java:939)
> at
> org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.findByResource(StoreFactoryCacheSession.java:863)
> at
> org.keycloak.authorization.AuthorizationProvider$3.findByResource(AuthorizationProvider.java:390)
> at
> org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.evaluate(DefaultPolicyEvaluator.java:75)
> at
> org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:59)
> ... 75 more
> Caused by: java.lang.RuntimeException: javax.script.ScriptException:
> TypeError: null is not a function in <eval> at line number 5
> at
> org.keycloak.scripting.CompiledEvaluatableScriptAdapter.eval(CompiledEvaluatableScriptAdapter.java:47)
> at
> org.keycloak.authorization.policy.provider.js.JSPolicyProvider.evaluate(JSPolicyProvider.java:53)
> ... 86 more
> Caused by: javax.script.ScriptException: TypeError: null is not a function
> in <eval> at line number 5
> at
> jdk.nashorn.api.scripting.NashornScriptEngine.throwAsScriptException(NashornScriptEngine.java:467)
> at
> jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:423)
> at
> jdk.nashorn.api.scripting.NashornScriptEngine.access$300(NashornScriptEngine.java:73)
> at
> jdk.nashorn.api.scripting.NashornScriptEngine$3.eval(NashornScriptEngine.java:511)
> at
> org.keycloak.scripting.CompiledEvaluatableScriptAdapter.eval(CompiledEvaluatableScriptAdapter.java:45)
> ... 87 more
> Caused by: <eval>:5 TypeError: null is not a function
> at
> jdk.nashorn.internal.runtime.ECMAErrors.error(ECMAErrors.java:57)
> at
> jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:213)
> at
> jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:185)
> at
> jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:172)
> at
> jdk.nashorn.internal.runtime.linker.NashornBottomLinker.linkNull(NashornBottomLinker.java:177)
> at
> jdk.nashorn.internal.runtime.linker.NashornBottomLinker.getGuardedInvocation(NashornBottomLinker.java:66)
> at
> jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124)
> at
> jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:154)
> at
> jdk.internal.dynalink.DynamicLinker.relink(DynamicLinker.java:253)
> at jdk.nashorn.internal.scripts.Script$\^eval\_.:program(<eval>:5)
> at
> jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:637)
> at
> jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:494)
> at
> jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:393)
> at
> jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:418)
> ... 90 more
>
> On Thu, 25 Oct 2018 at 21:12, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> You can check both the Evaluation API[1] and JS Policy[2] documentation.
>> I'll update docs with some examples of fetching resources/scopes and
>> attributes from JS policies, meanwhile here it is:
>>
>> var permission = $evaluation.getPermission();
>> var resource = permission.getResource();
>> var attributes = resource.getAttributes();
>>
>> For more information about methods that you can use to fetch attributes,
>> check
>> https://github.com/keycloak/keycloak/blob/b4b3527df7656bfaaee351ec414e56c683c134c2/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java#L157
>> .
>>
>> Regards.
>> Pedro Igor
>>
>> [1]
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_evaluation_api
>> [2]
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>
>> On Thu, Oct 25, 2018 at 2:54 PM Melissa Palmer <melissa.palmer at gmail.com>
>> wrote:
>>
>>>
>>> Hi Pedro,
>>>
>>> How do I get get at the resource (and its attributes) via the JS policy?
>>> I have tried .. but not working.
>>> var resource = context.getResource();
>>> var resource = $evaluation.getResource();
>>>
>>> Thanks
>>> Melissa
>>>
>>>
>>>
>>> On Wed, 24 Oct 2018 at 15:56, Melissa Palmer <melissa.palmer at gmail.com>
>>> wrote:
>>>
>>>> Ok thank you, yes I have seen the Rest API
>>>> hadn’t really thought I needed to use the api for this. What you
>>>> thinking
>>>>
>>>> On 24 Oct 2018, at 3:14 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
>>>>
>>>> Yeah, I think so. I need to document this ... But we also expose
>>>> endpoints in Admin REST API which you could use to manage these
>>>> permissions/policies from your app.
>>>>
>>>> On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer <
>>>> melissa.palmer at gmail.com> wrote:
>>>>
>>>>> Thanks Pedro, I will take a closer look.
>>>>> Yes I’ll put the work flow in the app. But we do want to manage the
>>>>> permissions in KEy,
>>>>>
>>>>> I tried to align with the QuickStart ti explain. But it’s not
>>>>> necessarily on resource that I own with I want to do this. For example it
>>>>> could be against adding products in and ecommerce app, or transactions for
>>>>> a company
>>>>>
>>>>> It sounds like I should rather use the non
>>>>> UMA example to try this against. Would that be better?
>>>>>
>>>>> Thanks
>>>>> Melissa
>>>>>
>>>>>
>>>>> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>> Hi Melissa,
>>>>>
>>>>> I don't think this is very different than what we have in the
>>>>> quickstart you mentioned.
>>>>>
>>>>> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer <
>>>>> melissa.palmer at gmail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I am trying to do something similar to the following:
>>>>>> - have a resource (say album) in app-authz-uma-photoz quickstart that
>>>>>> includes a status attribute against it.
>>>>>> - status such as: CREATED, APPROVED, DECLINED,
>>>>>>
>>>>>
>>>>> You probably noticed that resources in Keycloak have attributes, so
>>>>> you could set a "status" accordingly. You should be able to write JS
>>>>> policies that can access any attribute associated with a resource.
>>>>>
>>>>>
>>>>>> - a person can then be given a role that allows for permissions (via a
>>>>>> role) such as
>>>>>>
>>>>>> - album:create
>>>>>> - album:approve
>>>>>> - album:decline
>>>>>>
>>>>>
>>>>> If you have different authorization requirements for each scope, you
>>>>> can create a scope-based permission for each scope. Otherwise, a single
>>>>> scope-permission managing access for all of them.
>>>>>
>>>>>
>>>>>>
>>>>>> - BUT a person is not allowed to approve any albums they created
>>>>>> themselves
>>>>>>
>>>>>
>>>>> I would create a scope-permission specific for album:approve and
>>>>> associate it with a JS policy that deny access to the the resource owner
>>>>> (considering the owner is the person that created the resource).
>>>>>
>>>>>
>>>>>>
>>>>>> Is there a keycloak-quickstarts/example I can start from?
>>>>>> Or a recommended way I should attempt to tackle this?
>>>>>>
>>>>>
>>>>> It is worthy to highlight that when using UMA and, specially, the "My
>>>>> Resources" page in the Account Service, resource owners are always allowed
>>>>> to manage their resources. It seems you are more interested in a worflow
>>>>> that does not really fit this functionality in particular. I think you
>>>>> would need to manage this workflow from your app based on the permissions
>>>>> you have in Keycloak.
>>>>>
>>>>>
>>>>>>
>>>>>> Thank You in advance,
>>>>>> Melissa
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 52669 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181026/17f6deeb/attachment-0001.png
More information about the keycloak-user
mailing list