Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-9451

Policy evaluation fails when not evaluated against a particual resource

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      1. Have a permission with a scope asocciated to a policy
      2. Have a policy that evaluates a simple role is present.
      3. Have a user token with that role.
      4. Call the API to get authorization for the user.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      I'm currently using 4.4.0, after upgrading to latest I've found that the behaviour has changed.

      I'm currently making a request to keycloak to figure out if the user is allowed to create resources, i.e. the policy evaluates to PASS.
      When using the keycloak java API to authorize a request for a user against no particular user I get a Null Pointer Exception on keycloak when it collects the policy evaluation results.

       AuthorizationRequest request = new AuthorizationRequest();
       request.setSubjectToken(userToken);
       request.addPermission(resource, scope);
       AuthorizationResponse authorization = client.authorization(userToken).authorize(request);
      

      I've attached the stacktrace produced on the server.

      This comes from this line which assumes that the resource is always required.

      The java API doesn't hint that the resource id is required and up to 4.4.0 this was working just fine and I was able to run a policy evaluation against a user token just fine.
      Could you please clarify?

      thanks!

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                pcraveiro Pedro Igor
                Reporter:
                fmayoral.practiv Fernando Mayoral
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: