[keycloak-user] Fine Authorization on User Account Service

Pedro Igor Silva psilva at redhat.com
Mon Jan 14 13:48:09 EST 2019 

The problem is that we don't enforce permissions when users are accessing
the account service. I think we should disable authorization settings to
account client and avoid confusion.

On Mon, Jan 14, 2019 at 4:32 PM Nikola Malenic <
nikola.malenic at netsetglobal.rs> wrote:

> I am trying to disable access to the account service to all users by using
> js policy (I have a reason for this).
>
> So what I tried is to put just $evaluation.deny(); in the body of the
> policy, to restrict access to all users.
>
> In Evaluate tab I can see that this policy is denying access but when I
> access account service application via browser I get access.
>
>
>
> Anyone has an idea what could be wrong?
>
>
>
> Here is my  Authorization config exported:
>
> {
>
>   "allowRemoteResourceManagement": false,
>
>   "policyEnforcementMode": "ENFORCING",
>
>   "resources": [
>
>     {
>
>       "name": "account_resource",
>
>       "type": "urn:account:resources:accountresource",
>
>       "ownerManagedAccess": false,
>
>       "displayName": "account_resource",
>
>       "attributes": {},
>
>       "_id": "778c2a62-4415-4cf1-a057-a60f0beeb0a4",
>
>       "uris": [
>
>         "/*"
>
>       ]
>
>     }
>
>   ],
>
>   "policies": [
>
>     {
>
>       "id": "4de5145d-4d34-411f-9b2a-d99cc361a08c",
>
>       "name": "auth_method_policy",
>
>       "description": "Policy based on authentication method used",
>
>       "type": "js",
>
>       "logic": "POSITIVE",
>
>       "decisionStrategy": "UNANIMOUS",
>
>       "config": {
>
>         "code": "// var context = $evaluation.getContext();\r\n// var
> identity = context.getIdentity();\r\n// var attributes =
> identity.getAttributes();\r\n\r\n// if
>
> (attributes.getValue(\"chosen_authenticator\").asString(0).endsWith('userpas
> s')) {\r\n//     $evaluation.deny();\r\n// } else {\r\n//
> $evaluation.deny();\r\n// }\r\n"
>
>       }
>
>     },
>
>     {
>
>       "id": "e2567a26-aa46-4f0f-aba7-421e35b90615",
>
>       "name": "auth_based_permission",
>
>       "type": "resource",
>
>       "logic": "POSITIVE",
>
>       "decisionStrategy": "UNANIMOUS",
>
>       "config": {
>
>         "resources": "[\"account_resource\"]",
>
>         "applyPolicies": "[\"auth_method_policy\"]"
>
>       }
>
>     }
>
>   ],
>
>   "scopes": []
>
> }
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list