Keycloak -18.0.1 issue with authorization and multiple polices/permissions

31 views
Skip to first unread message

Gagan Noor Singh

unread,
Oct 12, 2022, 3:29:24 AM10/12/22
to Keycloak Dev

Hi, we are getting issue with multiple policies/permission.

  1. Policy A - user A with scope A,B,C works fine.
  2. Policy B - user B with scope B,C,D gives 403.

If User B is added to Policy A it works fine and retunes combined result of scope A,B,C,D

Both Policies are Positive and Both Permissions are Affirmative.

In Evaluate page it shows as expected but from Postman it gives error

JSON from Authorization Export

{
“allowRemoteResourceManagement”: false,
“policyEnforcementMode”: “ENFORCING”,
“resources”: [
{
“name”: “ResourceA”,
“type”: “urn:generic-rest-api:resources:employees”,
“ownerManagedAccess”: false,
“attributes”: {},
“_id”: “1b41c828-b78f-44da-84ab-e62a0b4843b5”,
“uris”: [
“/v1/employees/"
],
“scopes”: [
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:admindescription:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:accessRole:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:address:view”
}
]
},
{
“name”: “ResourceB”,
“type”: “urn:generic-rest-api:resources:employees”,
“ownerManagedAccess”: false,
“displayName”: “ResourceB”,
“attributes”: {},
“_id”: “6237e427-55ef-4c1e-9e3d-714e5bfe31c9”,
“uris”: [
"/v1/employees/

],
“scopes”: [
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:admindescription:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:companyid:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:authorizedAmount:view”
}
]
},
{
“name”: “Default Resource”,
“type”: “urn:employee-rest-api:resources:default”,
“ownerManagedAccess”: false,
“attributes”: {},
“_id”: “fb476666-f779-4a86-8234-d49e897f6405”,
“uris”: [
“/*”
]
}
],
“policies”: [
{
“id”: “1e08f5f3-a766-416b-9448-50716dd0580b”,
“name”: “PolicyB”,
“type”: “user”,
“logic”: “POSITIVE”,
“decisionStrategy”: “UNANIMOUS”,
“config”: {
“users”: “["UserB"]”
}
},
{
“id”: “8f90f109-0c7b-4caa-9620-50b7d36bd463”,
“name”: “Default Policy”,
“description”: “A policy that grants access only for users within this realm”,
“type”: “js”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“code”: “// by default, grants any permission associated with this policy\n$evaluation.grant();\n”
}
},
{
“id”: “c4ce02d8-cb2d-479f-ad22-82f092535b1b”,
“name”: “PolicyA”,
“type”: “user”,
“logic”: “POSITIVE”,
“decisionStrategy”: “UNANIMOUS”,
“config”: {
“users”: “["UserA"]”
}
},
{
“id”: “29f9ae37-afa9-4a98-864f-bc9f8dd7a783”,
“name”: “PermissionA”,
“type”: “resource”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“resources”: “["ResourceA"]”,
“applyPolicies”: “["PolicyA"]”
}
},
{
“id”: “3b71972f-3754-464d-99b6-f5c11e5962cc”,
“name”: “PermissionB”,
“type”: “resource”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“resources”: “["ResourceB"]”,
“applyPolicies”: “["PolicyB"]”
}
},
{
“id”: “3f21cf9d-f0b4-4b54-a3b9-5cbc4c1f060c”,
“name”: “Default Permission”,
“description”: “A permission that applies to the default resource type”,
“type”: “resource”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“defaultResourceType”: “urn:employee-rest-api:resources:default”,
“applyPolicies”: “["Default Policy"]”
}
}
],
“scopes”: [
{
“id”: “c14170f6-0ef7-416e-bde8-c394f6f3ed13”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:admindescription:view”
},
{
“id”: “1d88b211-7961-4a2b-bfae-696566366f1f”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:adusertype:view”
},
{
“id”: “bfa6a52a-46de-4e86-8c72-4ea738752cd0”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:accessRole:view”
},
{
“id”: “f646b5af-bcc4-42a5-b135-de5d0c78ac5b”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:address:view”
},
{
“id”: “50286c2a-b0b4-423b-ac99-9b7b64bdebee”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:authorizedAmount:view”
},
{
“id”: “08140d1b-1c51-4563-96c4-4f6a628e9933”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:companyid:view”
}
],
“decisionStrategy”: “UNANIMOUS”
}


Reply all
Reply to author
Forward
0 new messages