Regex policy based on multivalued attribute

immieszko · March 21, 2024, 2:55pm

Hello. I use GitHub - sventorben/keycloak-restrict-client-auth: A Keycloak authenticator to restrict authorization on clients with Policy-Based mode. When I want to use Regex Client Policy on multivalue attributes it does not work.
For example, I have User user1 with an attribute:

"my_attr": [
    "1test",
    "2test"
  ],

If I define the target_claim to my_attr and regex pattern to 1test it works, but when I would like to check the 2test I have no idea how to do it . Do you know any solution?

dasniko · March 21, 2024, 3:54pm

I’d recommend to ask the maintainer of the extension directly in the mentioned GitHub repo as a new issue or discussion thread.
AFAIK Sven-Torben is not a member here in this forum.

immieszko · March 22, 2024, 8:33am

@dasniko the problem is with Keycloak RegexPolicyProvider, not with the extension.

github.com

keycloak/keycloak/blob/24.0.1/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/regex/RegexPolicyProvider.java#L99


      
              }
          }
          
          private String resolveSimpleValue(Attributes attributes, String targetClaim) {
              Attributes.Entry value = attributes.getValue(targetClaim);
          
              if (value == null || value.isEmpty()) {
                  return null;
              }
          
              return value.asString(0);
          }
          
          private String resolveJsonValue(Attributes attributes, String targetClaim) throws IOException {
              List<String> paths = splitClaimPath(targetClaim);
          
              if (paths.isEmpty()) {
                  return null;
              }
          
              Attributes.Entry attribute = attributes.getValue(paths.get(0));

Here takes only the first value of the multivalued attribute to Regex.

Therefore, you are not able to check if the user has attr=2test.

Topic		Replies	Views
Mapper for client roles with multivalued disabled, still sets the value as an array Configuring the server admin-console	11	1948	August 23, 2022
Admin API - get all users with custom attributes	2	3681	April 4, 2022
Rest api: filter client by attributes Getting advice	2	1254	June 22, 2023
Keycloak -18.0.1 issue with authorization and multiple polices/permissions Getting advice authentication	0	339	October 12, 2022
Validating against Realm roles and Client roles at the same time Securing applications	0	629	June 3, 2020

Regex policy based on multivalued attribute

Related Topics