diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
index 121adf1..472afb7 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
@@ -142,9 +142,13 @@ public class AuthenticatedActionsHandler {
AuthorizationContext authorizationContext = policyEnforcer.enforce(facade);
RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) facade.getSecurityContext();
- session.setAuthorizationContext(authorizationContext);
+ if (session != null) {
+ session.setAuthorizationContext(authorizationContext);
- return authorizationContext.isGranted();
+ return authorizationContext.isGranted();
+ }
+
+ return true;
} catch (Exception e) {
throw new RuntimeException("Failed to enforce policy decisions.", e);
}
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
index 9377b0b..34a4f0f 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java
@@ -19,6 +19,7 @@ package org.keycloak.adapters.authorization;
import org.jboss.logging.Logger;
import org.keycloak.AuthorizationContext;
+import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.spi.HttpFacade.Request;
import org.keycloak.adapters.spi.HttpFacade.Response;
@@ -66,40 +67,47 @@ public abstract class AbstractPolicyEnforcer {
return createEmptyAuthorizationContext(true);
}
- AccessToken accessToken = httpFacade.getSecurityContext().getToken();
- Request request = httpFacade.getRequest();
- Response response = httpFacade.getResponse();
- String pathInfo = URI.create(request.getURI()).getPath().substring(1);
- String path = pathInfo.substring(pathInfo.indexOf('/'), pathInfo.length());
- PathConfig pathConfig = this.pathMatcher.matches(path, this.paths);
+ KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();
- LOGGER.debugf("Checking permissions for path [%s] with config [%s].", request.getURI(), pathConfig);
+ if (securityContext != null) {
+ AccessToken accessToken = securityContext.getToken();
- if (pathConfig == null) {
- if (EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
- return createAuthorizationContext(accessToken);
- }
+ if (accessToken != null) {
+ Request request = httpFacade.getRequest();
+ Response response = httpFacade.getResponse();
+ String pathInfo = URI.create(request.getURI()).getPath().substring(1);
+ String path = pathInfo.substring(pathInfo.indexOf('/'), pathInfo.length());
+ PathConfig pathConfig = this.pathMatcher.matches(path, this.paths);
- LOGGER.debugf("Could not find a configuration for path [%s]", path);
- response.sendError(403, "Could not find a configuration for path [" + path + "].");
+ LOGGER.debugf("Checking permissions for path [%s] with config [%s].", request.getURI(), pathConfig);
- return createEmptyAuthorizationContext(false);
- }
+ if (pathConfig == null) {
+ if (EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
+ return createAuthorizationContext(accessToken);
+ }
- PathConfig actualPathConfig = resolvePathConfig(pathConfig, request);
- Set<String> requiredScopes = getRequiredScopes(actualPathConfig, request);
+ LOGGER.debugf("Could not find a configuration for path [%s]", path);
+ response.sendError(403, "Could not find a configuration for path [" + path + "].");
- if (isAuthorized(actualPathConfig, requiredScopes, accessToken, httpFacade)) {
- try {
- return createAuthorizationContext(accessToken);
- } catch (Exception e) {
- throw new RuntimeException("Error processing path [" + actualPathConfig.getPath() + "].", e);
- }
- }
+ return createEmptyAuthorizationContext(false);
+ }
- if (!challenge(actualPathConfig, requiredScopes, httpFacade)) {
- LOGGER.debugf("Sending challenge to the client. Path [%s]", pathConfig);
- response.sendError(403, "Authorization failed.");
+ PathConfig actualPathConfig = resolvePathConfig(pathConfig, request);
+ Set<String> requiredScopes = getRequiredScopes(actualPathConfig, request);
+
+ if (isAuthorized(actualPathConfig, requiredScopes, accessToken, httpFacade)) {
+ try {
+ return createAuthorizationContext(accessToken);
+ } catch (Exception e) {
+ throw new RuntimeException("Error processing path [" + actualPathConfig.getPath() + "].", e);
+ }
+ }
+
+ if (!challenge(actualPathConfig, requiredScopes, httpFacade)) {
+ LOGGER.debugf("Sending challenge to the client. Path [%s]", pathConfig);
+ response.sendError(403, "Authorization failed.");
+ }
+ }
}
return createEmptyAuthorizationContext(false);
