Hello,
We're using authorization services and Keycloak 2.5.X.
We want to have different policies for a REST endpoint with different verbs (GET, PUT).
We have everything configured at the Keycloak server side (PDP), through the web admin UI.
We don't use the Policy Enforcer JSON configuration.
We have configured:
* Permission P1 for Resource X (URL X) and scope 'GET' mapped to Policy
'POLICY-1'.
* Permission P2 for Resource X (URL X) and scope 'PUT' mapped to Policy
'POLICY-2'.
What we see is that both policies are BEING evaluated, while we expected only one of them
to be, according to the actual HTTP verb provided at runtime.
By reading the source code, we understand that because we don't use the policy
enforcer adapter configuration (JSON file at client side), then the list of required
scopes sent with the permission request is empty and therefore all the scopes associated
to the resource and permission are being evaluated.
We could workaround this by utilizing the policy enforcer configuration file, but we
really like to do the configuration in a single place at the server side (we have many
clients and microservices).
My questions are the following:
1. Is there any way to enforce evaluation of only one of the permissions above (the one
according to the relevant scope/verb)?
Or maybe it was changed in a later version?
I see that code of getRequiredScopes is different
(adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java)
1. Why are there different configuration capabilities in the Admin UI (server side) and
the Policy Enforcer adapter JSON file (client side)?
In the latter, we can configure the "method" like PUT/GET/POST/DELETE for the
match. While if we use the server side configuration, we lack the ability to match the
method per URL.
Again, is that something that was changed in later version?
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
+972 9 778 6914 (office)
+972 50 9111442 (mobile)
[cid:image001.png@01D2C8DE.BFF33E10]
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any
emails sent to Amdocs will be processed and stored using such system and are accessible by
third party providers of such system on a limited basis. Your sending of emails to Amdocs
evidences your consent to the use of such system and such processing, storing and
access”.
Show replies by date