From db60abc60419feb359eaa8def4693b888d4ea544 Mon Sep 17 00:00:00 2001
From: Pedro Igor <pigor.craveiro@gmail.com>
Date: Mon, 11 Jun 2018 08:17:40 -0300
Subject: [PATCH] [KEYCLOAK-7543] - Policy enforcer should not delegate
 decisions when using UMA (#5252)

---
 .../KeycloakAdapterPolicyEnforcer.java        | 21 +++++++------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
index 67149bd471..ba46088858 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
@@ -140,7 +140,7 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
     }
 
     private AccessToken requestAuthorizationToken(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade httpFacade) {
-        if (getPolicyEnforcer().getDeployment().isBearerOnly() || (isBearerAuthorization(httpFacade) && getEnforcerConfig().getUserManagedAccess() != null)) {
+        if (getEnforcerConfig().getUserManagedAccess() != null) {
             return null;
         }
 
@@ -151,20 +151,15 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
             AccessToken accessToken = securityContext.getToken();
             AuthorizationRequest authzRequest = new AuthorizationRequest();
 
-            if (getEnforcerConfig().getUserManagedAccess() != null) {
-                String ticket = getPermissionTicket(pathConfig, methodConfig, getAuthzClient(), httpFacade);
-                authzRequest.setTicket(ticket);
-            } else {
-                if (isBearerAuthorization(httpFacade) || accessToken.getAuthorization() != null) {
-                    authzRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
-                }
+            if (isBearerAuthorization(httpFacade) || accessToken.getAuthorization() != null) {
+                authzRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
+            }
 
-                Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade);
+            Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade);
 
-                if (!claims.isEmpty()) {
-                    authzRequest.setClaimTokenFormat("urn:ietf:params:oauth:token-type:jwt");
-                    authzRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(claims)));
-                }
+            if (!claims.isEmpty()) {
+                authzRequest.setClaimTokenFormat("urn:ietf:params:oauth:token-type:jwt");
+                authzRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(claims)));
             }
 
             if (accessToken.getAuthorization() != null) {