[keycloak-user] Failed to evaluate permissions with javascript

Corentin Dupont corentin.dupont at gmail.com
Wed Jul 4 10:07:05 EDT 2018


Yes I want to have permissions for each resource associated with that scope.
Basically, I have:

Resource:
-------------
name: MySensorsXXX
scope: [sensors:update, sensors:delete]

Policy:
---------
name: Resource owner
type: javascript

Permission:
--------------
name: Delete Sensor
type: scope-based
Scopes: [sensors:delete]
Apply Policy: Resource owner

Based on this setting, I want to ask Keycloak if I can delete a particular
sensor, named MySensorsXXX.
Keycloak should approve only if I'm owner.
Is it the correct way to do it?








On Wed, Jul 4, 2018 at 3:28 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Could you deny if requested permission is not for a resource ? Or do you
> want to have permissions for each resource associated with that scope ?
>
> On Wed, Jul 4, 2018 at 10:16 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> So how to retrieve the resource associated with this request?
>>
>> For instance I want to delete a sensor named MySensorsXXX:
>>
>> curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-con
>> nect/token -H "Authorization: Bearer $USERTOKEN" -d
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>> ence=api-server&permission=MySensorsXXX#sensors:delete"
>>
>> I have a scope-based policy, where I check if you are owner.
>>
>>
>>
>> On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> This is because the permission is not for the resource (it does not
>>> exist) but for scopes. So resource is null.
>>>
>>> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi again,
>>>> I use a small javascript policy:
>>>>
>>>> var context = $evaluation.getContext();
>>>> var permission = $evaluation.getPermission();
>>>> var identity = context.getIdentity();
>>>> if (identity.id == permission.getResource().getOwner()) {
>>>>     $evaluation.grant();
>>>> }
>>>>
>>>>
>>>> But this gets me an error:
>>>>
>>>> Unexpected error while evaluating permissions:
>>>> java.lang.RuntimeException:
>>>> Failed to evaluate permissions
>>>>    at
>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>>>    at
>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>>>    at
>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>>>    at
>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>>>> ...
>>>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
>>>> execute script 'Resource owner' problem was: TypeError: null has no such
>>>> function "getOwner" in <eval> at line number 4
>>>>     at
>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>> Unchecked(AbstractEvaluatableScriptAdapter.java:64)
>>>>     at
>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>> (AbstractEvaluatableScriptAdapter.java:30)
>>>>
>>>>
>>>> I noticed this happens only with scope-based policies, so maybe it's the
>>>> same problem than before?
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>


More information about the keycloak-user mailing list