Keyycloak authz policy evaluation using REST API

ansarihaseb · December 29, 2019, 12:52am

I’ve set different permissions based on various policies in Keycloak’s client configuration. And also ootb Keycloak provides an API to test the result with ‘Evaluate’. My question is: Can I evaluate this policy using a REST API and get the result back?

Zambonilli · April 29, 2020, 7:12pm

There is a non-documented admin evaluate URL that you can use. It is the endpoint that powers the Evaluate Permissions screen in the dashboard.

Example:

POST http://$host:$port/auth/admin/realms/$realm/clients/$clientId/authz/resource-server/policy/evaluate

{
    "resources": [
        {
            "name": "my_resource",
            "type": "*",
            "owner": {
                "id": "f75754d9-4c13-4710-b358-7aea027c50c4",
                "name": "my_client"
            },
            "ownerManagedAccess": true,
            "_id": "bb1f1537-4854-4ec7-98e2-2d4d375356a9",
            "uris": [],
            "scopes": []
        }
    ],
    "context": {
        "attributes": {}
    },
    "roleIds": [],
    "userId": "cd91f2b0-b3f1-4aa5-9984-36cd88d70723",
    "clientId": "f75754d9-4c13-4710-b358-7aea027c50c4",
    "entitlements": false
}

sarlaccpit · May 19, 2020, 7:39pm

That works, but it’s an admin api. Is there an equivalent API that the resource server could use to run these types of queries? The resource server client has the uma_protection role, but from what I saw, it doesn’t allow it to access this api (since that is an admin api)

DallasP9124 · May 22, 2020, 5:39pm

I have found it difficult to find this as well. Reading through their authorization documentation under Obtaining Permissions I found that a request to to the token endpoint with the response_mode set to decision tells the server ‘should only represent the overall decision’ as true or false but doesn’t say what the decision is. The AuthZ client doesn’t help much either as I can’t find anything that interfaces with the policy evaluation.

greemo · July 15, 2021, 2:21pm

You don’t need to use the admin api, you can use the token endpoint directly:

curl -u <client_id>:<client_secret> -k -X POST \
  https://localhost:8443/auth/realms/keycloaktest/protocol/openid-connect/token \
  -H 'content-type: application/x-www-form-urlencoded' \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "subject_token=<user_access_token>" \
  --data "permission=<resource#scope>" \
  --data "response_mode=decision" \
  --data "audience=<client_id>"

Topic		Replies	Views
How can I evaluate user permission over REST API?	1	1577	August 20, 2021
Evaluate user permission Getting advice	1	1716	October 24, 2022
API To GET Client Authorization Policies And Permissions Getting advice	3	1959	May 17, 2022
Policy evaluation based on client role Getting advice	0	28	April 17, 2024
Incorrect evaluation results with Keycloak Authorization Getting advice admin-console , oidc	6	354	March 14, 2023

Keyycloak authz policy evaluation using REST API

Related Topics