How to add policy to Keycloak - UI crashes

Question

I'm trying to enable flow when some admin user by some admin client is able to create users and obtain their access tokens to be used for another clients.

I have KeyCloak setup with token exchange and fine grained authz enabled and configured clients. I'm able to login my admin user by REST api, then exchange token. But when I specify audience I got error.

This one returns token but I need token for another client/audience.

http -f POST https://my-keycloak-server.com/auth/admin/realms/my-realm/protocol/openid-connect/token grant_type=urn:ietf:params:oauth:grant-type:token-exchange requested_subject=1a147915-53fe-454d-906a-186fecfa6974 client_id=api-admin client_secret=23a4ecbe-a9e8-448c-b36a-a45fa1082e6e subject_token=eyJhbGeiOiJSUzI1NiIs......

This one is failing with error.

http -f POST https://my-keycloak-server.com/auth/admin/realms/my-realm/protocol/openid-connect/token grant_type=urn:ietf:params:oauth:grant-type:token-exchange requested_subject=1a147915-53fe-454d-906a-186fecfa6974 client_id=api-admin client_secret=23a4ecbe-a9e8-448c-b36a-a45fa1082e6e subject_token=eyJhbGeiOiJSUzI1NiIs...... audience=my-another-client

{
    "error": "access_denied", 
    "error_description": "Client not allowed to exchange"
}

So I tried to setup fine grained auth for target audience client (enabled it in tab, then tried to add policy for my admin user to be able to exchange token) but when I want to add policy that will allow my admin user to perform token exchange I'm stuck on UI error.

When typing policy name I got 404 when Keycloak is looking for name colisions. Afaik 404 in this case shouldn't block form from posting because it is no name collision. Instead I got instantly redirected with error.

https://my-keycloak-server.com/auth/admin/realms/my-realm/clients/1bafa9a4-f7e2-422c-9188-58ea95db32ef/authz/resource-server/policy/search?name=some-name

In the end of the day I can't add any policy in Keycloak. All the time form validation is ending up with crash caused by 404 policy name not found.

I'm using dockerized keycloak 10.0.0

Any ideas?

score 1 · Answer 1 · answered May 21 '20 at 14:17

I hacked it by live editing Angular JS UI script function that performs verification in line 2403.

this.checkNameAvailability = function (onSuccess) {
            if (!$scope.policy.name || $scope.policy.name.trim().length == 0) {
                return;
            }
            ResourceServerPolicy.search({
                realm: $route.current.params.realm,
                client: client.id,
                name: $scope.policy.name
            }, function(data) {
                if (data && data.id && data.id != $scope.policy.id) {
                    Notifications.error("Name already in use by another policy or permission, please choose another one.");
                } else {
                    onSuccess();
                }
            });
}

to

this.checkNameAvailability = function (onSuccess) {
    onSuccess();
}

And that end up with successfuly added policy. Still looks like it's UI bug.

How to add policy to Keycloak - UI crashes

1 Answers1