[keycloak-user] Failed to evaluate permissions with javascript

Corentin Dupont corentin.dupont at gmail.com
Wed Jul 4 09:16:52 EDT 2018


So how to retrieve the resource associated with this request?

For instance I want to delete a sensor named MySensorsXXX:

curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=MySensorsXXX#sensors:delete"

I have a scope-based policy, where I check if you are owner.



On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> This is because the permission is not for the resource (it does not exist)
> but for scopes. So resource is null.
>
> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <corentin.dupont at gmail.com
> > wrote:
>
>> Hi again,
>> I use a small javascript policy:
>>
>> var context = $evaluation.getContext();
>> var permission = $evaluation.getPermission();
>> var identity = context.getIdentity();
>> if (identity.id == permission.getResource().getOwner()) {
>>     $evaluation.grant();
>> }
>>
>>
>> But this gets me an error:
>>
>> Unexpected error while evaluating permissions: java.lang.RuntimeException:
>> Failed to evaluate permissions
>>    at
>> org.keycloak.authorization.permission.evaluator.IterablePerm
>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>    at
>> org.keycloak.authorization.permission.evaluator.IterablePerm
>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>    at
>> org.keycloak.authorization.permission.evaluator.IterablePerm
>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>    at
>> org.keycloak.authorization.authorization.AuthorizationTokenS
>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>> ...
>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
>> execute script 'Resource owner' problem was: TypeError: null has no such
>> function "getOwner" in <eval> at line number 4
>>     at
>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.
>> evalUnchecked(AbstractEvaluatableScriptAdapter.java:64)
>>     at
>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.
>> eval(AbstractEvaluatableScriptAdapter.java:30)
>>
>>
>> I noticed this happens only with scope-based policies, so maybe it's the
>> same problem than before?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list