[keycloak-user] Failed to evaluate permissions with javascript
Pedro Igor Silva
psilva at redhat.com
Wed Jul 4 09:28:49 EDT 2018
Could you deny if requested permission is not for a resource ? Or do you
want to have permissions for each resource associated with that scope ?
On Wed, Jul 4, 2018 at 10:16 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:
> So how to retrieve the resource associated with this request?
>
> For instance I want to delete a sensor named MySensorsXXX:
>
> curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
> connect/token -H "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=MySensorsXXX#sensors:delete"
>
> I have a scope-based policy, where I check if you are owner.
>
>
>
> On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> This is because the permission is not for the resource (it does not
>> exist) but for scopes. So resource is null.
>>
>> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi again,
>>> I use a small javascript policy:
>>>
>>> var context = $evaluation.getContext();
>>> var permission = $evaluation.getPermission();
>>> var identity = context.getIdentity();
>>> if (identity.id == permission.getResource().getOwner()) {
>>> $evaluation.grant();
>>> }
>>>
>>>
>>> But this gets me an error:
>>>
>>> Unexpected error while evaluating permissions:
>>> java.lang.RuntimeException:
>>> Failed to evaluate permissions
>>> at
>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>> at
>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>> at
>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>> at
>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>>> ...
>>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
>>> execute script 'Resource owner' problem was: TypeError: null has no such
>>> function "getOwner" in <eval> at line number 4
>>> at
>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>> Unchecked(AbstractEvaluatableScriptAdapter.java:64)
>>> at
>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>> (AbstractEvaluatableScriptAdapter.java:30)
>>>
>>>
>>> I noticed this happens only with scope-based policies, so maybe it's the
>>> same problem than before?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
More information about the keycloak-user
mailing list