[keycloak-user] AUTHZ How can I provide custom attirbutes to JS policy?

Brandon Williams brandon at amazee.io
Tue Jun 11 10:35:51 EDT 2019 

[forgot to reply all, forwarding to list in case others have same problem]

Thanks for the links, I found those methods via other means and was using
them already. Thanks for confirming that setting claims is the correct way
to push data into the policies.

Most of all, thanks for "just adding" that pushing claims requires a
service account. That was the part I missed and changing that everything is
working as expected now!

On Tue, Jun 11, 2019 at 8:39 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> I'm not sure why this change is not in the latest documentation, but here
> is how [1] [2] you pass additional claims to your policies when using
> node.js adapter.
>
> I would just add that in order to push claims the request should be made
> by a resource server (your client configured with the authz services).
> Public clients cannot perform such requests as they can be easily
> manipulated.
>
> [1]
> https://github.com/keycloak/keycloak-documentation/pull/654/files#diff-024749afb352586c692443c010585e24R218
> [2]
> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L177
>
> On Tue, Jun 11, 2019 at 8:56 AM Brandon Williams <brandon at amazee.io>
> wrote:
>
>> I'm using authorization services to protect an API (written in node.js). I
>> would like to use a custom javascript policy that gets information from
>> the
>> context to determine if a user has access or not. Here's an example:
>>
>> >  var context = $evaluation.getContext();
>> >  var contextAttributes = context.getAttributes();
>> >
>> >  var myCustomData = contextAttributes.getValue('myCustomData');
>>
>> This works well when I'm testing the policy via the UI and using the
>> "Contextual information" section of the evaluate page.
>>
>> Now I'm trying to figure out how to send that data when I'm doing an authz
>> check from the API. In my API I'm using the "keycloak-connect" library and
>> using the grant manager to send authz requests. Link to relevant code:
>>
>> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/middleware/auth-utils/grant-manager.js#L106
>>
>> My assumption is that I can add "myCustomData" to the claim_token for this
>> request, and it would be made available in the contextAttribute. I'm
>> following the examples to build the claim from these docs
>>
>> https://www.keycloak.org/docs/4.8/authorization_services/#_service_pushing_claims
>>
>> Whenever I try to add arbitrary data as a claim, even simple strings, I
>> get
>> errors from keycloak API that it can't find the bearer token. Just
>> removing
>> the claim_token makes the requests work.
>>
>> My two questions are: Is adding data as a claim the correct way to push
>> data into the policy evaluation context? If so, why are my claims failing
>> the requests?
>>
>> Thanks,
>> Brandon Williams
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

More information about the keycloak-user mailing list