Issues with quickstart Photoz

Securing applications
1

Hey all,
I’ve been messing around with trying to create resources that belong to an owner and make use of the owner only policy as shown in the Photoz quickstart. https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz

I basically want to see it work so I can implement similar policies in my own applications. I think something is wrong however because when I evaluate the user, resource and scope I get back: " Could not obtain any result for the given authorization request. Check if the provided resource(s) or scope(s) are associated with any policy."

The Realm / Authorization was just imported straight from GIT.

Evaluation Request:
User: alice
Resource: Test Album
Scopes: album:delete album:view

Resources:

image
image1373×360 19.2 KB

Did anyone manage to get the example working, the AngularJS page just keeps giving forbidden for me?

Update:
So I think my core problem with implementing an ownerPermission on a resource type and scope is that the quickstart example uses a policy like this:

{
  "name": "Album Resource Permission",
  "description": "A default permission that defines access for any album resource",
  "type": "scope",
  "logic": "POSITIVE",
  "decisionStrategy": "UNANIMOUS",
  "config": {
    "defaultResourceType": "[\"http://photoz.com/album\"]",
    "scopes": "[\"album:view\",\"album:delete\"]",
    "applyPolicies": "[\"Only Owner and Administrators Policy\"]"
  }

But defaultResourceType on the policy seems to do nothing for the resources in question, no policy is validation, nor do I see those settings in the UI so I kinda feel like it is being ignored.

If I instead Apply just a policy on the resource type it works fine, but then I lack the scopes. Is there some kind of option or experimental feature I need to turn on?

{
  "id": "8ea3f6ea-ae29-48b3-8db3-ab381afa77b3",
  "name": "ownerOnly",
  "type": "resource",
  "logic": "POSITIVE",
  "decisionStrategy": "UNANIMOUS",
  "config": {
    "defaultResourceType": "urn:login-app:resources:news-item",
    "applyPolicies": "[\"OwnerPolicy\"]"
  }
}

Update 2: For now I managed to implement it with just a scope-based policy on for example: “album:delete” and associating that to the resource. That will result in the setup I want. But if anyone reads this and gets it to work with defaultResourceType that would certainly be handy too!