0

My Spring Boot Application with policy enforcer works fine. But when I add via my SPI some custom claims to the authorization->permission part of the RPT token then I am always getting: Policy enforcement result for path [http://localhost:8989/customers/1] is : DENIED

I have these lines in application.properties :

keycloak.securityConstraints[0].authRoles[0]=*
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/*
keycloak.policy-enforcer-config.enforcement-mode=enforcing
keycloak.policy-enforcer-config.paths[0].path=/customers/*
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET
keycloak.policy-enforcer-config.paths[0].methods[0].scopes[0]=view

My RPT token looks like:

"authorization": {
"permissions": [
  {
    "scopes": [
      "view"
    ],
    "claims": {
      "customers:view:country": [
        "[Belgium]"
      ]
    },
    "rsid": "fe8b4cd1-601b-46cf-9f2b-1534ade8cab2",
    "rsname": "customers"
  }
]

},

When the "claims" part is added access is denied.

Any idea why it is always denied? The policy enforcer should actually ignore those additions, right? It should evaluate access based on resource and scope in the RPT token.

Is there a way to disable this additional claims check?

Ertu
  • 1
  • 1
  • Keycloak moved to Github issues I guess, please raise it there. https://github.com/keycloak/keycloak/issues – Shankar Yadav Jun 20 '22 at 04:38
  • I have tested this scenario at my end and the error is the same. Did further digging into the adapter code and turns out, that the adapter expecting the same claim requested in the RPT request. You can verify this by adding the below prop. `keycloak.policy-enforcer-config.claim-information-point-config.claims[countries]={request.header['countries']}` Once you add this it will work, will raise to Keycloak – Shankar Yadav Jun 20 '22 at 12:00
  • I discovered that already. If I add "keycloak.policy-enforcer-config.paths[0].claimInformationPointConfig.claims[customers:view:country]" in application.properties it is working. But.....whats worse is that policy enforcer is doing another call to keycloak server. For performance reasons that's not acceptable. RPT's should be evaluated without an extra call to the keycloak server. But when adding additional claims to the authorization-permissions part of the RPT an extra call is made. I suppose that it is a bug. – Ertu Jun 20 '22 at 12:38
  • Glad, you figured it out. Will you raise to Keycloak..? – Shankar Yadav Jun 20 '22 at 13:01
  • https://github.com/keycloak/keycloak/issues/12598 – Ertu Jun 20 '22 at 13:11
  • https://github.com/keycloak/keycloak/issues/12602 – Ertu Jun 20 '22 at 14:43
  • @ShankarYadav I saw you added https://github.com/keycloak/keycloak/issues/12601 Thank you! I regard this more as an enhancement than a bug. – Ertu Jun 20 '22 at 14:45

0 Answers0