Keycloak: Access Denied when adding claims (permission.addClaim) to RPT token

665 views Asked by At

My Spring Boot Application with policy enforcer works fine. But when I add via my SPI some custom claims to the authorization->permission part of the RPT token then I am always getting: Policy enforcement result for path [http://localhost:8989/customers/1] is : DENIED

I have these lines in application.properties :

keycloak.securityConstraints[0].authRoles[0]=*
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/*
keycloak.policy-enforcer-config.enforcement-mode=enforcing
keycloak.policy-enforcer-config.paths[0].path=/customers/*
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET
keycloak.policy-enforcer-config.paths[0].methods[0].scopes[0]=view

My RPT token looks like:

"authorization": {
"permissions": [
  {
    "scopes": [
      "view"
    ],
    "claims": {
      "customers:view:country": [
        "[Belgium]"
      ]
    },
    "rsid": "fe8b4cd1-601b-46cf-9f2b-1534ade8cab2",
    "rsname": "customers"
  }
]

},

When the "claims" part is added access is denied.

Any idea why it is always denied? The policy enforcer should actually ignore those additions, right? It should evaluate access based on resource and scope in the RPT token.

Is there a way to disable this additional claims check?

0

There are 0 answers