[keycloak-user] Fine Authorization on User Account Service
Pedro Igor Silva
psilva at redhat.com
Mon Jan 14 13:48:09 EST 2019
The problem is that we don't enforce permissions when users are accessing
the account service. I think we should disable authorization settings to
account client and avoid confusion.
On Mon, Jan 14, 2019 at 4:32 PM Nikola Malenic <
nikola.malenic at netsetglobal.rs> wrote:
> I am trying to disable access to the account service to all users by using
> js policy (I have a reason for this).
>
> So what I tried is to put just $evaluation.deny(); in the body of the
> policy, to restrict access to all users.
>
> In Evaluate tab I can see that this policy is denying access but when I
> access account service application via browser I get access.
>
>
>
> Anyone has an idea what could be wrong?
>
>
>
> Here is my Authorization config exported:
>
> {
>
> "allowRemoteResourceManagement": false,
>
> "policyEnforcementMode": "ENFORCING",
>
> "resources": [
>
> {
>
> "name": "account_resource",
>
> "type": "urn:account:resources:accountresource",
>
> "ownerManagedAccess": false,
>
> "displayName": "account_resource",
>
> "attributes": {},
>
> "_id": "778c2a62-4415-4cf1-a057-a60f0beeb0a4",
>
> "uris": [
>
> "/*"
>
> ]
>
> }
>
> ],
>
> "policies": [
>
> {
>
> "id": "4de5145d-4d34-411f-9b2a-d99cc361a08c",
>
> "name": "auth_method_policy",
>
> "description": "Policy based on authentication method used",
>
> "type": "js",
>
> "logic": "POSITIVE",
>
> "decisionStrategy": "UNANIMOUS",
>
> "config": {
>
> "code": "// var context = $evaluation.getContext();\r\n// var
> identity = context.getIdentity();\r\n// var attributes =
> identity.getAttributes();\r\n\r\n// if
>
> (attributes.getValue(\"chosen_authenticator\").asString(0).endsWith('userpas
> s')) {\r\n// $evaluation.deny();\r\n// } else {\r\n//
> $evaluation.deny();\r\n// }\r\n"
>
> }
>
> },
>
> {
>
> "id": "e2567a26-aa46-4f0f-aba7-421e35b90615",
>
> "name": "auth_based_permission",
>
> "type": "resource",
>
> "logic": "POSITIVE",
>
> "decisionStrategy": "UNANIMOUS",
>
> "config": {
>
> "resources": "[\"account_resource\"]",
>
> "applyPolicies": "[\"auth_method_policy\"]"
>
> }
>
> }
>
> ],
>
> "scopes": []
>
> }
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list