TechQA.

Keycloak: Access Denied when adding claims (permission.addClaim) to RPT token

671 views Asked by At

My Spring Boot Application with policy enforcer works fine. But when I add via my SPI some custom claims to the authorization->permission part of the RPT token then I am always getting: Policy enforcement result for path [http://localhost:8989/customers/1] is : DENIED

I have these lines in application.properties :

keycloak.securityConstraints[0].authRoles[0]=*
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/*
keycloak.policy-enforcer-config.enforcement-mode=enforcing
keycloak.policy-enforcer-config.paths[0].path=/customers/*
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET
keycloak.policy-enforcer-config.paths[0].methods[0].scopes[0]=view

My RPT token looks like:

"authorization": {
"permissions": [
  {
    "scopes": [
      "view"
    ],
    "claims": {
      "customers:view:country": [
        "[Belgium]"
      ]
    },
    "rsid": "fe8b4cd1-601b-46cf-9f2b-1534ade8cab2",
    "rsname": "customers"
  }
]

},

When the "claims" part is added access is denied.

Any idea why it is always denied? The policy enforcer should actually ignore those additions, right? It should evaluate access based on resource and scope in the RPT token.

Is there a way to disable this additional claims check?

keycloak policy application.properties rpt keycloak-authorization-services
Original Q&A
0

There are 0 answers

Related Questions in KEYCLOAK

Related Questions in POLICY

Related Questions in APPLICATION.PROPERTIES

Related Questions in RPT

Related Questions in KEYCLOAK-AUTHORIZATION-SERVICES

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions