Hello Pedro,
Thank you for your quick reply,
For the user’s attributes, I have access to ‘general’ attributes like email, but not the
‘custom’ one. (My users are loaded from an home-made SPI, if that’s relevant)
Any hint how I can debug why my other user’s attributes that are not there ?
For the group, can you think of a workaround so that I can base my access decision on the
group ?
Are the limitations for javascript only ? Maybe writing a drool rule would do ?
Many thanks,
Nicolas.
De : Pedro Igor Silva <psilva(a)redhat.com>
Envoyé : mardi 17 juillet 2018 17:06
À : Nicolas Gillet <nicolas.gillet(a)market-ip.com>
Cc : keycloak-user(a)lists.jboss.org
Objet : Re: [keycloak-user] ABAC policy, attributes not avialable
You should be able to obtain any attribute defined to the user.
But regarding group attributes from the resource instance, it won't work because this
functionality is not exposing group's attributes via the resource instance.
There are other things we need to improve in this functionality of fine-grained
permissions to admin console. There are a few things missing or too complicated to be done
...
On Tue, Jul 17, 2018 at 11:08 AM, Nicolas Gillet
<nicolas.gillet@market-ip.com<mailto:nicolas.gillet@market-ip.com>> wrote:
Hello
I am trying to write a javascript Attribute Based Access Control (ABAC) policy.
I want to control the access to group resource using the authenticated user's
attributes and the attributes configured on the group.
So I configured the policy via Groups > myGroup > permissions > view-members and
select my javascript policy.
Problem: in the script, neither my identity nor my group attributes are available.
Here is my script:
var context = $evaluation.getContext();
var resourcePermission = $evaluation.getPermission();
var identity = context.getIdentity();
var idAttributes = identity.getAttributes();
var ctxAttributes = context.getAttributes();
var resource = resourcePermission.getResource();
print('idAttributes.CUSTOM_PROP: ' +
idAttributes.getValue('CUSTOM_PROP'));
print('ctxAttributes.CUSTOM_PROP: ' +
ctxAttributes.getValue('CUSTOM_PROP'));
print('resource.getAttributes: ' + resource.getAttributes);
$evaluation.grant();
When I use the API end point as follow :
http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
It triggers the script and prints the following in wildfly console :
ESC[0mESC[0m15:36:13,000 INFO [stdout] (default task-3) idAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO [stdout] (default task-3) ctxAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO [stdout] (default task-3) resource.getAttributes:
undefined
So my custom attribute is null. And worse, the resource does not even seems to have a
getAttributes() method at all ?!
I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined with
value "test" and my group has attributes as well.
The documentation says the resource I retrieve that way should be an instance of
org.keycloak.authorization.model.Resource
which, according to the javadoc, must define a getAttributes() methods. However it's
... undefined ?!
The keycloak version I use is 4.0.0.
Can anyone help me find what's wrong with my script ?
Many thanks,
Nicolas GILLET
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user