3:40 a.m.
Hi,
In a client, I have service account and authorization enabled. When service
account fetches all resources, authorizations applied. I would like a
specific user policy rule for this user but "service-account-(client name)"
is not suggested nor accepted by the user policy provider.
Is there another way to do that ? In js but what is the uuid of a service
user ? Is that a functionnal bug ?
Thanks.
7:32 a.m.
I answer myslef, a js policy script to allow a service account :
var context = $evaluation.getContext();
var identity = context.getIdentity();
var attributes = identity.getAttributes();
var username = attributes.getValue('preferred_username').asString(0);
var clientId = attributes.getValue('clientId').asString(0);
if (username === 'service-account-' + clientId) {
$evaluation.grant();
} else {
$evaluation.deny();
}
2017-10-12 10:40 GMT+02:00 Jean-François HEROUARD <
jfherouard.almerys(a)gmail.com>:
Hi,
In a client, I have service account and authorization enabled. When
service account fetches all resources, authorizations applied. I would like
a specific user policy rule for this user but "service-account-(client
name)" is not suggested nor accepted by the user policy provider.
Is there another way to do that ? In js but what is the uuid of a service
user ? Is that a functionnal bug ?
Thanks.
11:02 a.m.
Glad it worked. FYI, you don't actually need the *else* clause because the
engine will always deny if the policy did not call either grant or deny.
On Thu, Oct 12, 2017 at 9:32 AM, Jean-François HEROUARD <
jfherouard.almerys(a)gmail.com> wrote:
I answer myslef, a js policy script to allow a service account :
var context = $evaluation.getContext();
var identity = context.getIdentity();
var attributes = identity.getAttributes();
var username = attributes.getValue('preferred_username').asString(0);
var clientId = attributes.getValue('clientId').asString(0);
if (username === 'service-account-' + clientId) {
$evaluation.grant();
} else {
$evaluation.deny();
}
2017-10-12 10:40 GMT+02:00 Jean-François HEROUARD <
jfherouard.almerys(a)gmail.com>:
> Hi,
>
> In a client, I have service account and authorization enabled. When
> service account fetches all resources, authorizations applied. I would
like
> a specific user policy rule for this user but "service-account-(client
> name)" is not suggested nor accepted by the user policy provider.
> Is there another way to do that ? In js but what is the uuid of a service
> user ? Is that a functionnal bug ?
>
> Thanks.
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2646
days inactive
2650
days old
2 comments
2 participants
participants (2)
-
Jean-François HEROUARD -
Pedro Igor Silva