Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Done
-
4.3.0.Final
-
Keycloak Sprint 11, Keycloak Sprint 12
-
1
-
NEW
-
NEW
Description
Based on this ticket: KEYCLOAK-3830
Authorization should be skipped in case of public endpoints with DISABLED enforcement mode.
This is not true in case of version 4.3.Final.
In case of no security context (anonymous access), despite the endpoints being public, response code 403 is returned togather with correct body.
if (EnforcementMode.DISABLED.equals(enforcementMode)) { return createEmptyAuthorizationContext(true); } Request request = httpFacade.getRequest(); PathConfig pathConfig = getPathConfig(request); KeycloakSecurityContext securityContext = httpFacade.getSecurityContext(); if (securityContext == null) { if (!isDefaultAccessDeniedUri(request)) { if (pathConfig != null) { challenge(pathConfig, getRequiredScopes(pathConfig, request), httpFacade); } else { handleAccessDenied(httpFacade); } } return createEmptyAuthorizationContext(false); }
Paths enforcement mode is not even taken into consideration in such a case -> createEmptyAuthorizationContext(false) is always returned.
In my opinion despite missing security context, path config should be evaluated before this check is made and work the same way as whole PolicyEnforcer EnforcementMode.DISABLED is.