[keycloak-user] Fine Authorization on User Account Service
Nikola Malenic
nikola.malenic at netsetglobal.rs
Mon Jan 14 13:19:09 EST 2019
I am trying to disable access to the account service to all users by using
js policy (I have a reason for this).
So what I tried is to put just $evaluation.deny(); in the body of the
policy, to restrict access to all users.
In Evaluate tab I can see that this policy is denying access but when I
access account service application via browser I get access.
Anyone has an idea what could be wrong?
Here is my Authorization config exported:
{
"allowRemoteResourceManagement": false,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "account_resource",
"type": "urn:account:resources:accountresource",
"ownerManagedAccess": false,
"displayName": "account_resource",
"attributes": {},
"_id": "778c2a62-4415-4cf1-a057-a60f0beeb0a4",
"uris": [
"/*"
]
}
],
"policies": [
{
"id": "4de5145d-4d34-411f-9b2a-d99cc361a08c",
"name": "auth_method_policy",
"description": "Policy based on authentication method used",
"type": "js",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"code": "// var context = $evaluation.getContext();\r\n// var
identity = context.getIdentity();\r\n// var attributes =
identity.getAttributes();\r\n\r\n// if
(attributes.getValue(\"chosen_authenticator\").asString(0).endsWith('userpas
s')) {\r\n// $evaluation.deny();\r\n// } else {\r\n//
$evaluation.deny();\r\n// }\r\n"
}
},
{
"id": "e2567a26-aa46-4f0f-aba7-421e35b90615",
"name": "auth_based_permission",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"account_resource\"]",
"applyPolicies": "[\"auth_method_policy\"]"
}
}
],
"scopes": []
}
More information about the keycloak-user
mailing list