[keycloak-user] Policy Evaluation for Service Account shows unexpected behavior
Lamina, Marco
marco.lamina at sap.com
Wed Nov 7 17:27:38 EST 2018
Hi,
I am using the Protection API to create resources in Keycloak. Some of those resources are created by service accounts, some by regular users. I also have a JS policy that grants access to a resource if the given identity is the resource owner (it was an example from the documentation):
var context = $evaluation.getContext();
var identity = context.getIdentity();
var permission = $evaluation.getPermission();
if (permission.resource !== null && permission.resource.owner == identity.id) {
$evaluation.grant();
}
The problem is that the policy fails to execute. Using the evaluation tool in the admin console, it produces the following stack trace: https://pastebin.com/2XXHQkNf .
The policy works fine for regular users. In addition to that, trying to list the account’s permissions using the token endpoint (as described in [1]) fails with a 403.
Am I missing something or is that a bug in Keycloak?
[1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
Thanks,
Marco
More information about the keycloak-user
mailing list