[keycloak-user] ABAC policy, attributes not avialable
Nicolas Gillet
nicolas.gillet at market-ip.com
Tue Jul 17 10:08:56 EDT 2018
Hello
I am trying to write a javascript Attribute Based Access Control (ABAC) policy.
I want to control the access to group resource using the authenticated user's attributes and the attributes configured on the group.
So I configured the policy via Groups > myGroup > permissions > view-members and select my javascript policy.
Problem: in the script, neither my identity nor my group attributes are available.
Here is my script:
var context = $evaluation.getContext();
var resourcePermission = $evaluation.getPermission();
var identity = context.getIdentity();
var idAttributes = identity.getAttributes();
var ctxAttributes = context.getAttributes();
var resource = resourcePermission.getResource();
print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_PROP'));
print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('CUSTOM_PROP'));
print('resource.getAttributes: ' + resource.getAttributes);
$evaluation.grant();
When I use the API end point as follow :
http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
It triggers the script and prints the following in wildfly console :
ESC[0mESC[0m15:36:13,000 INFO [stdout] (default task-3) idAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO [stdout] (default task-3) ctxAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO [stdout] (default task-3) resource.getAttributes: undefined
So my custom attribute is null. And worse, the resource does not even seems to have a getAttributes() method at all ?!
I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined with value "test" and my group has attributes as well.
The documentation says the resource I retrieve that way should be an instance of org.keycloak.authorization.model.Resource
which, according to the javadoc, must define a getAttributes() methods. However it's ... undefined ?!
The keycloak version I use is 4.0.0.
Can anyone help me find what's wrong with my script ?
Many thanks,
Nicolas GILLET
More information about the keycloak-user
mailing list