Hi guys,
We’re experiencing a strange behaviour during our tests on our authorization policies.
I’ve defined a resource in the policy adapter as the following:
{
“name”: “test”,
“path”: “/test/{id}/test”,
“methods”: [
{
“method”: “GET”,
“scopes”: [
“list_test_scope”
]
}
],
“claim-information-point”: {
“claims”: {
“organization”: “{request.relativePath}”
}
}
Then, in Keycloak, i’ve defined:
- the scope list_test_scope
- a role based policy
- a resource named “test” with the uri /test/{id}/test
- a permission associating the resource, the scope and the policy
Everything works fine when i make a GET request to the endpoint: if the user has the role, he can access the endpoint, otherwise he receives a 403. But, if i make another request to the same endpoint with a different HTTP method, like a POST, nothing blocks me: i can reach the endpoint and i receive a 405 - Method not allowed (this due to the fact that i’ve not defined the operation on the endpoint). Why i’m not receiving a 403 error in this case? Shouldn’t the user be blocked by the fact that this method is not mapped / the user has not the scope?
I’ve already read the following post: https://lists.jboss.org/pipermail/keycloak-user/2019-February/017174.html
But removing the resource from the permission doesn’t work. Still i’m experiencing the same behaviour (i don’t know if something related to the cache is not working well).
Can you help us please?