Keyycloak authz policy evaluation using REST API

I’ve set different permissions based on various policies in Keycloak’s client configuration. And also ootb Keycloak provides an API to test the result with ‘Evaluate’. My question is: Can I evaluate this policy using a REST API and get the result back?

1 Like

There is a non-documented admin evaluate URL that you can use. It is the endpoint that powers the Evaluate Permissions screen in the dashboard.


POST http://$host:$port/auth/admin/realms/$realm/clients/$clientId/authz/resource-server/policy/evaluate

    "resources": [
            "name": "my_resource",
            "type": "*",
            "owner": {
                "id": "f75754d9-4c13-4710-b358-7aea027c50c4",
                "name": "my_client"
            "ownerManagedAccess": true,
            "_id": "bb1f1537-4854-4ec7-98e2-2d4d375356a9",
            "uris": [],
            "scopes": []
    "context": {
        "attributes": {}
    "roleIds": [],
    "userId": "cd91f2b0-b3f1-4aa5-9984-36cd88d70723",
    "clientId": "f75754d9-4c13-4710-b358-7aea027c50c4",
    "entitlements": false

That works, but it’s an admin api. Is there an equivalent API that the resource server could use to run these types of queries? The resource server client has the uma_protection role, but from what I saw, it doesn’t allow it to access this api (since that is an admin api)

1 Like

I have found it difficult to find this as well. Reading through their authorization documentation under Obtaining Permissions I found that a request to to the token endpoint with the response_mode set to decision tells the server ‘should only represent the overall decision’ as true or false but doesn’t say what the decision is. The AuthZ client doesn’t help much either as I can’t find anything that interfaces with the policy evaluation.

You don’t need to use the admin api, you can use the token endpoint directly:

curl -u <client_id>:<client_secret> -k -X POST \
  https://localhost:8443/auth/realms/keycloaktest/protocol/openid-connect/token \
  -H 'content-type: application/x-www-form-urlencoded' \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "subject_token=<user_access_token>" \
  --data "permission=<resource#scope>" \
  --data "response_mode=decision" \
  --data "audience=<client_id>"