[keycloak-user] Fine Authorization on User Account Service

[Nikola Malenic]

I am trying to disable access to the account service to all users by using
js policy (I have a reason for this).

So what I tried is to put just $evaluation.deny(); in the body of the
policy, to restrict access to all users.

In Evaluate tab I can see that this policy is denying access but when I
access account service application via browser I get access.

 

Anyone has an idea what could be wrong?

 

Here is my  Authorization config exported:

{

  "allowRemoteResourceManagement": false,

  "policyEnforcementMode": "ENFORCING",

  "resources": [

    {

      "name": "account_resource",

      "type": "urn:account:resources:accountresource",

      "ownerManagedAccess": false,

      "displayName": "account_resource",

      "attributes": {},

      "_id": "778c2a62-4415-4cf1-a057-a60f0beeb0a4",

      "uris": [

        "/*"

      ]

    }

  ],

  "policies": [

    {

      "id": "4de5145d-4d34-411f-9b2a-d99cc361a08c",

      "name": "auth_method_policy",

      "description": "Policy based on authentication method used",

      "type": "js",

      "logic": "POSITIVE",

      "decisionStrategy": "UNANIMOUS",

      "config": {

        "code": "// var context = $evaluation.getContext();\r\n// var
identity = context.getIdentity();\r\n// var attributes =
identity.getAttributes();\r\n\r\n// if
(attributes.getValue(\"chosen_authenticator\").asString(0).endsWith('userpas
s')) {\r\n//     $evaluation.deny();\r\n// } else {\r\n//
$evaluation.deny();\r\n// }\r\n"

      }

    },

    {

      "id": "e2567a26-aa46-4f0f-aba7-421e35b90615",

      "name": "auth_based_permission",

      "type": "resource",

      "logic": "POSITIVE",

      "decisionStrategy": "UNANIMOUS",

      "config": {

        "resources": "[\"account_resource\"]",

        "applyPolicies": "[\"auth_method_policy\"]"

      }

    }

  ],

  "scopes": []

}