[keycloak-user] Failed to evaluate permissions with javascript

Corentin Dupont corentin.dupont at gmail.com
Thu Jul 5 05:10:06 EDT 2018 

I created the corresponding Jira here:
https://issues.jboss.org/browse/KEYCLOAK-7781?filter=-2

On Wed, Jul 4, 2018 at 4:13 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Sorry, should *not* get a null reference ...
>
> On Wed, Jul 4, 2018 at 11:12 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Yeah it is fine, and if you ask permissions for MySensorsXXX (considering
>> resource exists) you should get a null reference in your JS policy.
>>
>> On Wed, Jul 4, 2018 at 11:07 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Yes I want to have permissions for each resource associated with that
>>> scope.
>>> Basically, I have:
>>>
>>> Resource:
>>> -------------
>>> name: MySensorsXXX
>>> scope: [sensors:update, sensors:delete]
>>>
>>> Policy:
>>> ---------
>>> name: Resource owner
>>> type: javascript
>>>
>>> Permission:
>>> --------------
>>> name: Delete Sensor
>>> type: scope-based
>>> Scopes: [sensors:delete]
>>> Apply Policy: Resource owner
>>>
>>> Based on this setting, I want to ask Keycloak if I can delete a
>>> particular sensor, named MySensorsXXX.
>>> Keycloak should approve only if I'm owner.
>>> Is it the correct way to do it?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Jul 4, 2018 at 3:28 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Could you deny if requested permission is not for a resource ? Or do
>>>> you want to have permissions for each resource associated with that scope ?
>>>>
>>>> On Wed, Jul 4, 2018 at 10:16 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> So how to retrieve the resource associated with this request?
>>>>>
>>>>> For instance I want to delete a sensor named MySensorsXXX:
>>>>>
>>>>> curl -X POST http://localhost:8080/auth/rea
>>>>> lms/waziup/protocol/openid-connect/token -H "Authorization: Bearer
>>>>> $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>>>> uth:grant-type:uma-ticket&audience=api-server&permission=MyS
>>>>> ensorsXXX#sensors:delete"
>>>>>
>>>>> I have a scope-based policy, where I check if you are owner.
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> This is because the permission is not for the resource (it does not
>>>>>> exist) but for scopes. So resource is null.
>>>>>>
>>>>>> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi again,
>>>>>>> I use a small javascript policy:
>>>>>>>
>>>>>>> var context = $evaluation.getContext();
>>>>>>> var permission = $evaluation.getPermission();
>>>>>>> var identity = context.getIdentity();
>>>>>>> if (identity.id == permission.getResource().getOwner()) {
>>>>>>>     $evaluation.grant();
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> But this gets me an error:
>>>>>>>
>>>>>>> Unexpected error while evaluating permissions:
>>>>>>> java.lang.RuntimeException:
>>>>>>> Failed to evaluate permissions
>>>>>>>    at
>>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>>>>>>    at
>>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>>>>>>    at
>>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>>>>>>    at
>>>>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>>>>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>>>>>>> ...
>>>>>>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could
>>>>>>> not
>>>>>>> execute script 'Resource owner' problem was: TypeError: null has no
>>>>>>> such
>>>>>>> function "getOwner" in <eval> at line number 4
>>>>>>>     at
>>>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>>>> Unchecked(AbstractEvaluatableScriptAdapter.java:64)
>>>>>>>     at
>>>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>>>> (AbstractEvaluatableScriptAdapter.java:30)
>>>>>>>
>>>>>>>
>>>>>>> I noticed this happens only with scope-based policies, so maybe it's
>>>>>>> the
>>>>>>> same problem than before?
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the keycloak-user mailing list