Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-1867

RH SSO Role Check Policy "ciient" description is inaccurate

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 2.6 ER1
    • 2.4 GA, SaaS
    • Gateway
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Workaround Exists
    • Hide

      Use liquid instead.

      client: "{{ jwt.aud }}"
      client type: Evaluate 'value' as liquid

      Show
      Use liquid instead. client: "{{ jwt.aud }}" client type: Evaluate 'value' as liquid

      When creating an RHSSO Role Check Policy and adding a client role to the policy it offers the following description of client:

      Client of the role. When this is not defined, this policy uses the 'aud' claim as the client.

      The default behavior does not appear to be accurate as leaving the client blank results in the following error log in apicast:

      2019/01/25 17:23:42 [debug] 21#21: *43 [lua] keycloak_role_check.lua:141: match_client_roles(): Client 'nil' was not found in the access token.
      

      Along with the error log, the role check does not actually function when using blacklisting, since the JWT will not have the correct client ("nil").

      This behavior should either be fixed so it works, or removed from the description since liquid can be used if that behavior is desired.

              Unassigned Unassigned
              rhn-support-spoole Shannon Poole
              David Ortiz David Ortiz (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: