[keycloak-user] Antw: PolicyEnforcer always requires all defined scopes as 'required'

alexander.sahler at brodos.de alexander.sahler at brodos.de
Thu Oct 5 05:04:41 EDT 2017


Hi.

Some additional information:

in log file (of application) the adapter tells:

Authorization FAILED for path [PathConfig{name='Admin UI', type='urn:test-context:resources:default', path='/ui/*', scopes=[urn:testproject:article:view, urn:testproject:article:create], id='a9d034f3-0ea4-4c96-b314-6ce544bf01b8', enforcerMode='ENFORCING'}]. No enough permissions [[Permission {id=a9d034f3-0ea4-4c96-b314-6ce544bf01b8, name=Admin UI, scopes=[urn:testproject:article:view]}]].

Up-to date authorization evaluator gives (changed values in resource_access field)
{
"jti": "25c7f624-c1ab-4f01-83a0-f946e868c175",
"exp": 1507194142,
"nbf": 0,
"iat": 1507193842,
"aud": "test-context",
"sub": "dccb9a67-5a45-4c15-bcee-3c1db26c16f0",
"typ": "Bearer",
"azp": "test-context",
"auth_time": 0,
"session_state": "4ebc2e9e-9b22-47dd-ad83-46a7fa600264
( tel:600264) ",
"acr": "1",
"allowed-origins": [
"http://"
],
"realm_access": {
"roles": [
"uma_authorization",
"user"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"authorization": {
"permissions": [
{
"scopes": [
"urn:testproject:article:view"
],
"resource_set_id": "a9d034f3-0ea4-4c96-b314-6ce544bf01b8",
"resource_set_name": "Admin UI"
}
]
},
"name": "Test Tester",
"preferred_username": "test",
"given_name": "Test",
"family_name": "Tester",
"email": "test at bla.de"
}
Best regards,
Alexander




>>> 
Hi.

I'm trying to get warm with keycloak. So I created a test project that uses
KeycloakOIDCFilter to secure a servlet request (a vaadin UI).
Basically it's working. Now I want to add some portions of the UI only
visible to users granted permission to a certain scope.

So I set up:
* client (named test-context) is configured for authorization
* A resource (admin-ui) with associated scopes urn:test-project:article:view
and urn:test-project:article:create.
* two realm roles: admin and user
* two users (test, admin), one of them (test) having role user, the other
(admin) having both admin and user roles
* auth settings: policy enforcement mode: enforcing (also added
"policy-enforcer": {} in keycloak.json)
* Two policies:
  - Admin policy: type role, roles: admin (required)
  - User policy: type role, roles: user
* Two scope permissions bound to the resource admin-ui. 
  - Article Create Permission: resource: admin-ui, scopes:
urn:test-project:article:create, policy: Admin policy, unanimous
  - Admin UI View Permission: resource: admin-ui, scopes:
urn:test-project:article:view, policy User policy, unanimous
* A resource permission granting access to the resource itself using Default
Permission (js, grant all)

Admin user is working fine and testing for scope membership using
authzClient is working fine as well. 

However, when I try to access the page with user 'test', the user is denied
access due to AbstractPolicyEnforcer. In method authorize() it always passes
the requiredScopes variable to isAuthorized(...). This variable is ALWAYS
filled with all scopes assiciated for the resource. These are taken from the
pathConfig, which always yields both associated scopes.

Of course, user 'test' has only granted permission to scope
urn:test-project:article:view following the authorization set up, thus
failing the grant although the evaluator is returning PERMIT with scopes
(urn:testproject:article:view) as expected:

{  "jti": "8d805d7e-f2bf-485c-ad9e-9ca397903f6c",
  "exp": 1507127243,
  "nbf": 0,
  "iat": 1507126943,
  "aud": "test-context",
  "sub": "dccb9a67-5a45-4c15-bcee-3c1db26c16f0",
  "typ": "Bearer",
  "azp": "test-context",
  "auth_time": 0,
  "session_state": "6623b31b-9c5c-4e87-a882-21ab8d72c2a8",
  "acr": "1",
  "allowed-origins": [
    "http://"
  ],
  "realm_access": {
    "roles": [
	  "uma_authorization",
	  "user"
    ]
  },
  "resource_access": {},
  "authorization": {
    "permissions": [
	  {
	    "scopes": [
		  "urn:testproject:article:view"
	    ],
	    "resource_set_id": "a9d034f3-0ea4-4c96-b314-6ce544bf01b8",
	    "resource_set_name": "Admin UI"
	  }
    ]
  },
  "name": "Test Tester",
  "preferred_username": "test",
  "given_name": "Test",
  "family_name": "Tester",
  "email": "test at bla.de"
}I'm using keycloak 3.2.1.FINAL on karaf 4.1.2.

Please help!



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list