I am testing Keycloak authorization services in the admin console and I'm unable to understand why in the next example keycloak is authorizing a user (tested in the evaluate
tab). this is my setup :
test
democlient
with Authorization Enabled
onAdmin
adminuser
and assign it to the Admin
roleIn the Authorization
tab withing the client democlient
:
Settings
-> Policy Enforcement Mode
is set to Enforcing
list
and save
Resource A
with the 2 previous scopesPolicies
tab, create a new Role policy
called Only admins where (of course) i only permit admins:
Permissions
tab, created a Scoped-based
permission called permit only admins Resource A, list Scope:
And that's it. now i check in the evaluate
tab this policy using the adminuser, role Admin, Resource A, Scope List:
success! everything is fine in the world!... except No. checking again the policy with the adminuser, role Admin, Resource A, Scope save (a scope where I did not define any permission) Keycloak is again Authorizing this rule :/
i assumed that policy enforcement mode
set to Enforcing
will deny the access to scope save, from the documentation of keycloak:
The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allows access to any resource.
so... what i am doing wrong? how can i make that keycloak deny the access to the save scope
? (obviously i can make a permission where i explicitly deny this scope. but i want that the default is deny as the documentation says)
Any ideas will be deeply appreciated.
I have found the Jira issue that reference this problem It's clearly a bug:
https://issues.redhat.com/browse/KEYCLOAK-9483
There is a patch that will come with the Keycloak version 9.0
https://issues.redhat.com/browse/KEYCLOAK-12438.
So we just need to wait for this release
yes, testing right now with keycloak 9.0.0 everything is working as expected, so @Reste85 this is the solution