Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8142

Regression in proper handling of public endpoints in AbstractPolicyEnforcer

    XMLWordPrintable

Details

    Description

      Based on this ticket: KEYCLOAK-3830

      Authorization should be skipped in case of public endpoints with DISABLED enforcement mode.

      This is not true in case of version 4.3.Final.

      In case of no security context (anonymous access), despite the endpoints being public, response code 403 is returned togather with correct body.

              if (EnforcementMode.DISABLED.equals(enforcementMode)) {
                  return createEmptyAuthorizationContext(true);
              }
      
              Request request = httpFacade.getRequest();
              PathConfig pathConfig = getPathConfig(request);
              KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();
      
              if (securityContext == null) {
                  if (!isDefaultAccessDeniedUri(request)) {
                      if (pathConfig != null) {
                          challenge(pathConfig, getRequiredScopes(pathConfig, request), httpFacade);
                      } else {
                          handleAccessDenied(httpFacade);
                      }
                  }
                  return createEmptyAuthorizationContext(false);
              }
      

      Paths enforcement mode is not even taken into consideration in such a case -> createEmptyAuthorizationContext(false) is always returned.

      In my opinion despite missing security context, path config should be evaluated before this check is made and work the same way as whole PolicyEnforcer EnforcementMode.DISABLED is.

      Attachments

        Activity

          People

            psilva@redhat.com Pedro Igor Craveiro
            daniel.piotr.hajduk Daniel Hajduk (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: