From b4973ad7b552ae796234bb254578214972f570b5 Mon Sep 17 00:00:00 2001
From: fisache <hwang031451@gmail.com>
Date: Thu, 7 Mar 2019 20:54:45 +0900
Subject: [PATCH] [KEYCLOAK-9769] service account can't authorize when group
 policy exists in resource server

---
 .../policy/evaluation/DefaultEvaluation.java          | 11 ++++++-----
 .../keycloak/testsuite/authz/GroupNamePolicyTest.java | 10 +++++++++-
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultEvaluation.java b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultEvaluation.java
index 61b359cc7f..6ca21838e2 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultEvaluation.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultEvaluation.java
@@ -46,7 +46,6 @@ import org.keycloak.representations.idm.authorization.Logic;
  * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
  */
 public class DefaultEvaluation implements Evaluation {
-
     private final ResourcePermission permission;
     private final EvaluationContext executionContext;
     private final Decision decision;
@@ -173,10 +172,12 @@ public class DefaultEvaluation implements Evaluation {
 
                 if (Objects.isNull(user)) {
                     user = session.users().getUserByUsername(id, realm);
-
-                    if (Objects.isNull(user)) {
-                        user = session.users().getUserByEmail(id, realm);
-                    }
+                }
+                if (Objects.isNull(user)) {
+                    user = session.users().getUserByEmail(id, realm);
+                }
+                if (Objects.isNull(user)) {
+                    user = session.users().getServiceAccount(realm.getClientById(id));
                 }
 
                 return user;
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/GroupNamePolicyTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/GroupNamePolicyTest.java
index 82cc44588d..d2d76cba07 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/GroupNamePolicyTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/GroupNamePolicyTest.java
@@ -100,7 +100,8 @@ public class GroupNamePolicyTest extends AbstractAuthzTest {
                     .redirectUris("http://localhost/resource-server-test")
                     .defaultRoles("uma_protection")
                     .directAccessGrants()
-                    .protocolMapper(groupProtocolMapper))
+                    .protocolMapper(groupProtocolMapper)
+                    .serviceAccountsEnabled(true))
                 .build());
     }
 
@@ -152,6 +153,13 @@ public class GroupNamePolicyTest extends AbstractAuthzTest {
         } catch (AuthorizationDeniedException ignore) {
 
         }
+
+        try {
+            authzClient.authorization(authzClient.obtainAccessToken().getToken()).authorize(new AuthorizationRequest(ticket));
+            fail("Should fail because service account is not granted with expected group");
+        } catch (AuthorizationDeniedException ignore) {
+
+        }
     }
 
     @Test