[keycloak-user] Authorization Policy evaluation for specific REST method (verb)

Ori Doolman Ori.Doolman at amdocs.com
Thu Sep 27 13:26:05 EDT 2018 

Hello,

We're using authorization services and Keycloak 2.5.X.
We want to have different policies for a REST endpoint with different verbs (GET, PUT).
We have everything configured at the Keycloak server side (PDP), through the web admin UI. We don't use the Policy Enforcer JSON configuration.

We have configured:

  *   Permission P1 for Resource X (URL X) and scope 'GET' mapped to Policy 'POLICY-1'.
  *   Permission P2 for Resource X (URL X) and scope 'PUT' mapped to Policy 'POLICY-2'.

What we see is that both policies are BEING evaluated, while we expected only one of them to be, according to the actual HTTP verb provided at runtime.
By reading the source code, we understand that because we don't use the policy enforcer adapter configuration (JSON file at client side), then the list of required scopes sent with the permission request is empty and therefore all the scopes associated to the resource and permission are being evaluated.

We could workaround this by utilizing the policy enforcer configuration file, but we really like to do the configuration in a single place at the server side (we have many clients and microservices).

My questions are the following:


  1.  Is there any way to enforce evaluation of only one of the permissions above (the one according to the relevant scope/verb)?
Or maybe it was changed in a later version?
I see that code of getRequiredScopes is different (adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java)



  1.  Why are there different configuration capabilities in the Admin UI (server side) and the Policy Enforcer adapter JSON file (client side)?
In the latter, we can configure the "method" like PUT/GET/POST/DELETE for the match. While if we use the server side configuration, we lack the ability to match the method per URL.
Again, is that something that was changed in later version?



Thanks,

Ori Doolman
Lead Software Architect
Amdocs Optima

+972 9 778 6914 (office)
+972 50 9111442 (mobile)

[cid:image001.png at 01D2C8DE.BFF33E10]

“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3506 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180927/97fdc3cc/attachment.png

More information about the keycloak-user mailing list