[KEYCLOAK-7543] - Policy enforcer should not delegate decisions when using UMA (#5252)

2018-06-11 08:17:40 -03:00 · 2018-06-11 08:17:40 -03:00 · db60abc604
commit db60abc604
parent f55c93a1e4
1 changed files with 8 additions and 13 deletions
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
@ -140,7 +140,7 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
    }

    private AccessToken requestAuthorizationToken(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade httpFacade) {
-        if (getPolicyEnforcer().getDeployment().isBearerOnly() || (isBearerAuthorization(httpFacade) && getEnforcerConfig().getUserManagedAccess() != null)) {
+        if (getEnforcerConfig().getUserManagedAccess() != null) {
            return null;
        }

@ -151,20 +151,15 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
            AccessToken accessToken = securityContext.getToken();
            AuthorizationRequest authzRequest = new AuthorizationRequest();

-            if (getEnforcerConfig().getUserManagedAccess() != null) {
-                String ticket = getPermissionTicket(pathConfig, methodConfig, getAuthzClient(), httpFacade);
-                authzRequest.setTicket(ticket);
-            } else {
-                if (isBearerAuthorization(httpFacade) || accessToken.getAuthorization() != null) {
-                    authzRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
-                }
+            if (isBearerAuthorization(httpFacade) || accessToken.getAuthorization() != null) {
+                authzRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
+            }

-                Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade);
+            Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade);

-                if (!claims.isEmpty()) {
-                    authzRequest.setClaimTokenFormat("urn:ietf:params:oauth:token-type:jwt");
-                    authzRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(claims)));
-                }
+            if (!claims.isEmpty()) {
+                authzRequest.setClaimTokenFormat("urn:ietf:params:oauth:token-type:jwt");
+                authzRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(claims)));
            }

            if (accessToken.getAuthorization() != null) {