Hello!
So, I have assigned 3 clients and made it so that only users with specific roles can access each.
Testing the authorization does work, however if I log in as any user, I can access every application (aka client).
Then I found that Keycloak only returns a message to the application but doesn’t stop it from accessing it.
And I found this post: https://janikvonrotz.ch/2020/04/30/role-based-access-control-for-multiple-keycloak-clients
thanks to this topic: Keycloak authorization
Well, it doesn’t work anymore, it’s just sending error messages and more importantly:
15:32:51,166 ERROR [stderr] (default task-6) Warning: Nashorn engine is planned to be removed from a future JDK release
I ahve seen that there is an execution called “Condition - User Role”. I thought great, I don’t need to hack it with a script or withdrawing some attribute required by my client!
Unfortunately, this is never checked. I have enabled logs in DEBUG mode. I don’t see anything about it, here is the trace:
15:32:51,065 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-6) authenticationAction
15:32:51,065 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) processAction: 65ab0b44-a4c9-4e29-adc6-363d337ecd97
15:32:51,065 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-6) Going through the flow 'browser role access control forms' for adding executions
15:32:51,065 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-6) Selections when trying execution 'auth-username-password-form' : [ authSelection - auth-username-password-form]
15:32:51,065 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) action: auth-username-password-form
15:32:51,161 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) authenticator SUCCESS: auth-username-password-form
15:32:51,161 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) check execution: 'browser role access control forms flow', requirement: 'REQUIRED'
15:32:51,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) processFlow: browser role access control forms
15:32:51,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
15:32:51,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) execution 'auth-username-password-form' is processed
15:32:51,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) check execution: 'auth-script-based', requirement: 'REQUIRED'
15:32:51,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6) authenticator: auth-script-based
15:32:51,164 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-6) Selections when trying execution 'auth-script-based' : [ authSelection - auth-script-based]
How to refrain users lacking specific roles to access an application like the whoami container (which doesn’t handle responses)?