[keycloak-user] Policy Evaluation Rules

Alexey Titorenko titorenko at dtg.technology
Wed Feb 6 05:08:54 EST 2019


Ok, thank you. Seems, that the reason is the same as for my previous questions :)


> On 5 Feb 2019, at 15:12, Pedro Igor Silva <psilva at redhat.com> wrote:
> It depends on how you are sending the authorization requests. If you request permissions to a resource, permissions associated with the resource and any associated scope will be evaluated. However, if you only send a authorization request for a particular scope only permissions (and associated policies) associated with that scope are evaluated.
> On Tue, Feb 5, 2019 at 7:19 AM Alexey Titorenko <titorenko at dtg.technology> wrote:
> Hello guys!
> Could you please help me with understanding how policies are evaluated?
> I have REST service with several operations. Each of them is protected by corresponding scope (create, view, update, delete, list). For each of these scopes I defined  scope based permission which controls access to its scope.
> All of the permissions have just one ‘Default’ policy, which grants access to any user. An ‘delete’ permissions in addition has JavaScript-based policy which checks if caller is author of the document. So, only one permission is configured to evaluate ‘Author’ policy.
> I expect, that ‘Author’ policy will only be evaluated, when ‘delete’ operation on service is called. But I see, that it is evaluated each time ANY operation is called.
> So, if all policies are evaluated for each call, then what is a purpose of specifying policies in permissions? What is a right way to use policies then?
> Thank you, 
> Alexey.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>

More information about the keycloak-user mailing list