[prev in list] [next in list] [prev in thread] [next in thread] 

List:       keycloak-user
Subject:    [keycloak-user] Authorization Policy evaluation for specific REST method (verb)
From:       Ori.Doolman () amdocs ! com (Ori Doolman)
Date:       2018-09-27 17:26:05
Message-ID: DB7PR06MB44741943ABF742032FDFA68D92140 () DB7PR06MB4474 ! eurprd06 ! prod ! outlook ! com
[Download RAW message or body]

Hello,

We're using authorization services and Keycloak 2.5.X.
We want to have different policies for a REST endpoint with different verbs (GET, \
PUT). We have everything configured at the Keycloak server side (PDP), through the \
web admin UI. We don't use the Policy Enforcer JSON configuration.

We have configured:

  *   Permission P1 for Resource X (URL X) and scope 'GET' mapped to Policy \
                'POLICY-1'.
  *   Permission P2 for Resource X (URL X) and scope 'PUT' mapped to Policy \
'POLICY-2'.

What we see is that both policies are BEING evaluated, while we expected only one of \
them to be, according to the actual HTTP verb provided at runtime. By reading the \
source code, we understand that because we don't use the policy enforcer adapter \
configuration (JSON file at client side), then the list of required scopes sent with \
the permission request is empty and therefore all the scopes associated to the \
resource and permission are being evaluated.

We could workaround this by utilizing the policy enforcer configuration file, but we \
really like to do the configuration in a single place at the server side (we have \
many clients and microservices).

My questions are the following:


  1.  Is there any way to enforce evaluation of only one of the permissions above \
(the one according to the relevant scope/verb)? Or maybe it was changed in a later \
version? I see that code of getRequiredScopes is different \
(adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java)




  1.  Why are there different configuration capabilities in the Admin UI (server \
side) and the Policy Enforcer adapter JSON file (client side)? In the latter, we can \
configure the "method" like PUT/GET/POST/DELETE for the match. While if we use the \
server side configuration, we lack the ability to match the method per URL. Again, is \
that something that was changed in later version?



Thanks,

Ori Doolman
Lead Software Architect
Amdocs Optima

+972 9 778 6914 (office)
+972 50 9111442 (mobile)

[cid:image001.png at 01D2C8DE.BFF33E10]

?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any \
emails sent to Amdocs will be processed and stored using such system and are \
accessible by third party providers of such system on a limited basis. Your sending \
of emails to Amdocs evidences your consent to the use of such system and such \
                processing, storing and access?.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3506 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180927/97fdc3cc/attachment.png \



[prev in list] [next in list] [prev in thread] [next in thread]