[keycloak-user] AUTHZ How can I provide custom attirbutes to JS policy?

Pedro Igor Silva psilva at redhat.com
Tue Jun 11 09:38:53 EDT 2019


I'm not sure why this change is not in the latest documentation, but here
is how [1] [2] you pass additional claims to your policies when using
node.js adapter.

I would just add that in order to push claims the request should be made by
a resource server (your client configured with the authz services). Public
clients cannot perform such requests as they can be easily manipulated.

[1]
https://github.com/keycloak/keycloak-documentation/pull/654/files#diff-024749afb352586c692443c010585e24R218
[2]
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L177

On Tue, Jun 11, 2019 at 8:56 AM Brandon Williams <brandon at amazee.io> wrote:

> I'm using authorization services to protect an API (written in node.js). I
> would like to use a custom javascript policy that gets information from the
> context to determine if a user has access or not. Here's an example:
>
> >  var context = $evaluation.getContext();
> >  var contextAttributes = context.getAttributes();
> >
> >  var myCustomData = contextAttributes.getValue('myCustomData');
>
> This works well when I'm testing the policy via the UI and using the
> "Contextual information" section of the evaluate page.
>
> Now I'm trying to figure out how to send that data when I'm doing an authz
> check from the API. In my API I'm using the "keycloak-connect" library and
> using the grant manager to send authz requests. Link to relevant code:
>
> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/middleware/auth-utils/grant-manager.js#L106
>
> My assumption is that I can add "myCustomData" to the claim_token for this
> request, and it would be made available in the contextAttribute. I'm
> following the examples to build the claim from these docs
>
> https://www.keycloak.org/docs/4.8/authorization_services/#_service_pushing_claims
>
> Whenever I try to add arbitrary data as a claim, even simple strings, I get
> errors from keycloak API that it can't find the bearer token. Just removing
> the claim_token makes the requests work.
>
> My two questions are: Is adding data as a claim the correct way to push
> data into the policy evaluation context? If so, why are my claims failing
> the requests?
>
> Thanks,
> Brandon Williams
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list