[keycloak-user] AUTHZ How can I provide custom attirbutes to JS policy?
Brandon Williams
brandon at amazee.io
Tue Jun 11 07:54:41 EDT 2019
I'm using authorization services to protect an API (written in node.js). I
would like to use a custom javascript policy that gets information from the
context to determine if a user has access or not. Here's an example:
> var context = $evaluation.getContext();
> var contextAttributes = context.getAttributes();
>
> var myCustomData = contextAttributes.getValue('myCustomData');
This works well when I'm testing the policy via the UI and using the
"Contextual information" section of the evaluate page.
Now I'm trying to figure out how to send that data when I'm doing an authz
check from the API. In my API I'm using the "keycloak-connect" library and
using the grant manager to send authz requests. Link to relevant code:
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/middleware/auth-utils/grant-manager.js#L106
My assumption is that I can add "myCustomData" to the claim_token for this
request, and it would be made available in the contextAttribute. I'm
following the examples to build the claim from these docs
https://www.keycloak.org/docs/4.8/authorization_services/#_service_pushing_claims
Whenever I try to add arbitrary data as a claim, even simple strings, I get
errors from keycloak API that it can't find the bearer token. Just removing
the claim_token makes the requests work.
My two questions are: Is adding data as a claim the correct way to push
data into the policy evaluation context? If so, why are my claims failing
the requests?
Thanks,
Brandon Williams
More information about the keycloak-user
mailing list