Hi, I am using the Protection API to create resources in Keycloak. Some of those resources are created by service accounts, some by regular users. I also have a JS policy that grants access to a resource if the given identity is the resource owner (it was an example from the documentation): var context = $evaluation.getContext(); var identity = context.getIdentity(); var permission = $evaluation.getPermission(); if (permission.resource !== null && permission.resource.owner == identity.id) { $evaluation.grant(); } The problem is that the policy fails to execute. Using the evaluation tool in the admin console, it produces the following stack trace: https://pastebin.com/2XXHQkNf . The policy works fine for regular users. In addition to that, trying to list the account’s permissions using the token endpoint (as described in [1]) fails with a 403. Am I missing something or is that a bug in Keycloak? [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user