0

Similar to a previously answered question, I would like to push claims to the token endpoint to use them in policy evaluation in Keycloak v21.0.1.

In contrast to the mentioned question, I want to use the pushed claims in Regex-based policies instead of JavaScript-based policies and set response_mode=permissions to obtain the result of the evaluation directly. Is this actually possible?

My request looks like this:

curl -X POST \
  http://localhost:8080/realms/realmA/protocol/openid-connect/token \
  -H 'Authorization: Bearer eyJhbGciOiJSXXXXXXXXXXXXXXXX' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&audience=clientA&
permission=resourceA&claim_token=eyJjbGFpbUEiOlsidmFsdWVBIl0sImNsYWltQiI6WyJ2YWx1ZUIiXX0%3D%0A&
claim_token=eyJjbGFpbUEiOlsiQSJdLCJjbGFpbUIiOlsiQiJdLCJjbGFpbUMiOlsiQyJd%0AfQ%3D%3D%0A&
response_mode=permissions'

The response contains the pushed claims:

[
  {
    "scopes": [
      "scope_from_role_based_policyA",
      "scope_from_role_based_policyB"
    ],
    "claims": {
      "claimC": [
        "C"
      ],
      "claimB": [
        "B"
      ],
      "claimA": [
        "A"
      ]
    },
    "rsid": "e8e40f58-1a74-49a7-ad6e-593d90907183",
    "rsname": "resourceA"
  }
]

The Regex-based policies do not seem to get triggered. From the source code, I can see that a Regex-based policy expects the claims to be contained in evaluation.getContext().getIdentity().getAttributes(). In my experiments, getClaimValue(evaluation, policy) always returns null.

Is there any way to map my pushed claims to those identity attributes in the policy evaluation?

wojja
  • 175
  • 1
  • 11

1 Answers1

0

I was able to make this work by changing line 73 in the implementation of the RegexPolicyProvider class:

// [...]
private String getClaimValue(Evaluation evaluation, RegexPolicyRepresentation policy) {
  //Attributes attributes = evaluation.getContext().getIdentity().getAttributes();
  Attributes attributes = evaluation.getContext().getAttributes();
  String targetClaim = policy.getTargetClaim();
  // [...]
}

The pushed claims are attributes of the evaluation context and not of the identiy. By switching from evaluation.getContext().getIdentity().getAttributes() to evaluation.getContext().getAttributes(), the claims can be found and matched.

Obviously, it is not the best idea to change the code of a security related application.

Is there a particular reason why the implementation of the Regex-based policy only considers the identity attributes for the target claim? Is that seen as dangerous since the evaluation context is set by the requesting party? Or is it just besause this use case is rather rare?

wojja
  • 175
  • 1
  • 11