9:35 a.m.
[forgot to reply all, forwarding to list in case others have same problem]
Thanks for the links, I found those methods via other means and was using
them already. Thanks for confirming that setting claims is the correct way
to push data into the policies.
Most of all, thanks for "just adding" that pushing claims requires a
service account. That was the part I missed and changing that everything is
working as expected now!
On Tue, Jun 11, 2019 at 8:39 AM Pedro Igor Silva <psilva(a)redhat.com> wrote:
I'm not sure why this change is not in the latest documentation,
but here
is how [1] [2] you pass additional claims to your policies when using
node.js adapter.
I would just add that in order to push claims the request should be made
by a resource server (your client configured with the authz services).
Public clients cannot perform such requests as they can be easily
manipulated.
[1]
https://github.com/keycloak/keycloak-documentation/pull/654/files#diff-02...
[2]
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixt...
On Tue, Jun 11, 2019 at 8:56 AM Brandon Williams <brandon(a)amazee.io>
wrote:
> I'm using authorization services to protect an API (written in node.js). I
> would like to use a custom javascript policy that gets information from
> the
> context to determine if a user has access or not. Here's an example:
>
> > var context = $evaluation.getContext();
> > var contextAttributes = context.getAttributes();
> >
> > var myCustomData = contextAttributes.getValue('myCustomData');
>
> This works well when I'm testing the policy via the UI and using the
> "Contextual information" section of the evaluate page.
>
> Now I'm trying to figure out how to send that data when I'm doing an authz
> check from the API. In my API I'm using the "keycloak-connect" library
and
> using the grant manager to send authz requests. Link to relevant code:
>
>
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/middlewar...
>
> My assumption is that I can add "myCustomData" to the claim_token for this
> request, and it would be made available in the contextAttribute. I'm
> following the examples to build the claim from these docs
>
> https://www.keycloak.org/docs/4.8/authorization_services/#_service_pushin...
>
> Whenever I try to add arbitrary data as a claim, even simple strings, I
> get
> errors from keycloak API that it can't find the bearer token. Just
> removing
> the claim_token makes the requests work.
>
> My two questions are: Is adding data as a claim the correct way to push
> data into the policy evaluation context? If so, why are my claims failing
> the requests?
>
> Thanks,
> Brandon Williams
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2504
days inactive
2504
days old
0 comments
1 participants
participants (1)
-
Brandon Williams