[keycloak-user] Keycloak policy-enforcer, very strange and dangerous behaviour - scope based policy

Matteo Restelli mrestelli at cuebiq.com
Tue Dec 10 09:34:07 EST 2019 

Hi guys,
We're experiencing a strange behaviour during our tests on our
authorization policies.
I've defined a resource in the policy adapter as the following:

{
        "name": "test",
        "path": "/test/{id}/test",
        "methods": [
          {
            "method": "GET",
            "scopes": [
              "list_test_scope"
            ]
          }
        ],
        "claim-information-point": {
          "claims": {
            "organization": "{request.relativePath}"
          }
        }

Then, in Keycloak, i've defined:
- the scope list_test_scope
- a role based policy
- a resource named "test" with the uri /test/{id}/test
- a permission associating the resource, the scope and the policy

Everything works fine when i make a GET request to the endpoint: if the
user has the role, he can access the endpoint, otherwise he receives a 403.
But, if i make another request to the same endpoint with a different HTTP
method, like a POST, nothing blocks me: i can reach the endpoint and i
receive a 405 - Method not allowed (this due to the fact that i've not
defined the operation on the endpoint). Why i'm not receiving a 403 error
in this case? Shouldn't the user be blocked by the fact that this method is
not mapped / the user has not the scope?

I've already read the following post:
https://lists.jboss.org/pipermail/keycloak-user/2019-February/017174.html
But removing the resource from the permission doesn't work. Still i'm
experiencing the same behaviour (i don't know if something related to the
cache is not working well).

Can you help us please?

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.

More information about the keycloak-user mailing list