Hi guys,
We're experiencing a strange behaviour during our tests on our
authorization policies.
I've defined a resource in the policy adapter as the following:
{
"name": "test",
"path": "/test/{id}/test",
"methods": [
{
"method": "GET",
"scopes": [
"list_test_scope"
]
}
],
"claim-information-point": {
"claims": {
"organization": "{request.relativePath}"
}
}
Then, in Keycloak, i've defined:
- the scope list_test_scope
- a role based policy
- a resource named "test" with the uri /test/{id}/test
- a permission associating the resource, the scope and the policy
Everything works fine when i make a GET request to the endpoint: if the
user has the role, he can access the endpoint, otherwise he receives a 403.
But, if i make another request to the same endpoint with a different HTTP
method, like a POST, nothing blocks me: i can reach the endpoint and i
receive a 405 - Method not allowed (this due to the fact that i've not
defined the operation on the endpoint). Why i'm not receiving a 403 error
in this case? Shouldn't the user be blocked by the fact that this method is
not mapped / the user has not the scope?
I've already read the following post:
https://lists.jboss.org/pipermail/keycloak-user/2019-February/017174.html
But removing the resource from the permission doesn't work. Still i'm
experiencing the same behaviour (i don't know if something related to the
cache is not working well).
Can you help us please?
--
Like <
https://www.facebook.com/cuebiq/> I Follow
<
https://twitter.com/Cuebiq>I Connect
<
https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.