libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

[KEYCLOAK-9769] service account can't authorize when group policy exists in resource server

Browse source
This commit is contained in:
fisache 2019-03-07 20:54:45 +09:00 committed by Pedro Igor
parent 1bf19ada7e
commit b4973ad7b5
2 changed files with 15 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultEvaluation.java
View file

@ -46,7 +46,6 @@ import org.keycloak.representations.idm.authorization.Logic;
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/ */
public class DefaultEvaluation implements Evaluation { public class DefaultEvaluation implements Evaluation {
private final ResourcePermission permission; private final ResourcePermission permission;
private final EvaluationContext executionContext; private final EvaluationContext executionContext;
private final Decision decision; private final Decision decision;
@ -173,10 +172,12 @@ public class DefaultEvaluation implements Evaluation {
if (Objects.isNull(user)) { if (Objects.isNull(user)) {
user = session.users().getUserByUsername(id, realm); user = session.users().getUserByUsername(id, realm);
}
if (Objects.isNull(user)) { if (Objects.isNull(user)) {
user = session.users().getUserByEmail(id, realm); user = session.users().getUserByEmail(id, realm);
} }
if (Objects.isNull(user)) {
user = session.users().getServiceAccount(realm.getClientById(id));
} }
return user; return user;

10
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/GroupNamePolicyTest.java
View file

@ -100,7 +100,8 @@ public class GroupNamePolicyTest extends AbstractAuthzTest {
.redirectUris("http://localhost/resource-server-test") .redirectUris("http://localhost/resource-server-test")
.defaultRoles("uma_protection") .defaultRoles("uma_protection")
.directAccessGrants() .directAccessGrants()
.protocolMapper(groupProtocolMapper)) .protocolMapper(groupProtocolMapper)
.serviceAccountsEnabled(true))
.build()); .build());
} }
@ -152,6 +153,13 @@ public class GroupNamePolicyTest extends AbstractAuthzTest {
} catch (AuthorizationDeniedException ignore) { } catch (AuthorizationDeniedException ignore) {
} }
try {
authzClient.authorization(authzClient.obtainAccessToken().getToken()).authorize(new AuthorizationRequest(ticket));
fail("Should fail because service account is not granted with expected group");
} catch (AuthorizationDeniedException ignore) {
}
} }
@Test @Test