My Spring Boot Application with policy enforcer works fine. But when I add via my SPI some custom claims to the authorization->permission part of the RPT token then I am always getting: Policy enforcement result for path [http://localhost:8989/customers/1] is : DENIED
I have these lines in application.properties :
keycloak.securityConstraints[0].authRoles[0]=*
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/*
keycloak.policy-enforcer-config.enforcement-mode=enforcing
keycloak.policy-enforcer-config.paths[0].path=/customers/*
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET
keycloak.policy-enforcer-config.paths[0].methods[0].scopes[0]=view
My RPT token looks like:
"authorization": {
"permissions": [
{
"scopes": [
"view"
],
"claims": {
"customers:view:country": [
"[Belgium]"
]
},
"rsid": "fe8b4cd1-601b-46cf-9f2b-1534ade8cab2",
"rsname": "customers"
}
]
},
When the "claims" part is added access is denied.
Any idea why it is always denied? The policy enforcer should actually ignore those additions, right? It should evaluate access based on resource and scope in the RPT token.
Is there a way to disable this additional claims check?