Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8142

Regression in proper handling of public endpoints in AbstractPolicyEnforcer

    XMLWordPrintable

    Details

      Description

      Based on this ticket: KEYCLOAK-3830

      Authorization should be skipped in case of public endpoints with DISABLED enforcement mode.

      This is not true in case of version 4.3.Final.

      In case of no security context (anonymous access), despite the endpoints being public, response code 403 is returned togather with correct body.

              if (EnforcementMode.DISABLED.equals(enforcementMode)) {
                  return createEmptyAuthorizationContext(true);
              }
       
              Request request = httpFacade.getRequest();
              PathConfig pathConfig = getPathConfig(request);
              KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();
       
              if (securityContext == null) {
                  if (!isDefaultAccessDeniedUri(request)) {
                      if (pathConfig != null) {
                          challenge(pathConfig, getRequiredScopes(pathConfig, request), httpFacade);
                      } else {
                          handleAccessDenied(httpFacade);
                      }
                  }
                  return createEmptyAuthorizationContext(false);
              }
      

      Paths enforcement mode is not even taken into consideration in such a case -> createEmptyAuthorizationContext(false) is always returned.

      In my opinion despite missing security context, path config should be evaluated before this check is made and work the same way as whole PolicyEnforcer EnforcementMode.DISABLED is.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                pcraveiro Pedro Igor
                Reporter:
                daniel.piotr.hajduk Daniel Hajduk
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: