Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-1867

RH SSO Role Check Policy "ciient" description is inaccurate

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 2.6 ER1
    • 2.4 GA, SaaS
    • Gateway
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Workaround Exists
    • Hide

      Use liquid instead.

      client: "{{ jwt.aud }}"
      client type: Evaluate 'value' as liquid

      Show
      Use liquid instead. client: "{{ jwt.aud }}" client type: Evaluate 'value' as liquid

    Description

      When creating an RHSSO Role Check Policy and adding a client role to the policy it offers the following description of client:

      Client of the role. When this is not defined, this policy uses the 'aud' claim as the client.

      The default behavior does not appear to be accurate as leaving the client blank results in the following error log in apicast:

      2019/01/25 17:23:42 [debug] 21#21: *43 [lua] keycloak_role_check.lua:141: match_client_roles(): Client 'nil' was not found in the access token.

      Along with the error log, the role check does not actually function when using blacklisting, since the JWT will not have the correct client ("nil").

      This behavior should either be fixed so it works, or removed from the description since liquid can be used if that behavior is desired.

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-spoole Shannon Poole
            David Ortiz David Ortiz (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: