Re: [keycloak-user] Policy Evaluation Rules
It depends on how you are sending the authorization requests. If you
request permissions to a resource, permissions associated with the resource
and any associated scope will be evaluated. However, if you only send a
authorization request for a particular scope only permissions (and
associated policies) associated with that scope are evaluated.
On Tue, Feb 5, 2019 at 7:19 AM Alexey Titorenko <titorenko(a)dtg.technology>
wrote:
Hello guys!
Could you please help me with understanding how policies are evaluated?
I have REST service with several operations. Each of them is protected by
corresponding scope (create, view, update, delete, list). For each of these
scopes I defined scope based permission which controls access to its scope.
All of the permissions have just one ‘Default’ policy, which grants access
to any user. An ‘delete’ permissions in addition has JavaScript-based
policy which checks if caller is author of the document. So, only one
permission is configured to evaluate ‘Author’ policy.
I expect, that ‘Author’ policy will only be evaluated, when ‘delete’
operation on service is called. But I see, that it is evaluated each time
ANY operation is called.
So, if all policies are evaluated for each call, then what is a purpose of
specifying policies in permissions? What is a right way to use policies
then?
Thank you,
Alexey.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user