keycloak-uncached
Changes
examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java 22(+13 -9)
Details
diff --git a/examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java b/examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java
index 887a461..493637a 100644
--- a/examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java
+++ b/examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java
@@ -43,7 +43,7 @@ public class AuthorizationClientExample {
}
private static void introspectRequestingPartyToken() {
- // create a new instance based on the configuration define at keycloak-authz.json
+ // create a new instance based on the configuration defined in keycloak-authz.json
AuthzClient authzClient = AuthzClient.create();
// query the server for a resource with a given name
@@ -51,8 +51,9 @@ public class AuthorizationClientExample {
.resource()
.findByFilter("name=Default Resource");
- // obtian a Entitlement API Token in order to get access to the Entitlement API.
- // this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement
+ // obtain an Entitlement API Token in order to get access to the Entitlement API.
+ // this token is just an access token issued to a client on behalf of an user
+ // with a scope = kc_entitlement
String eat = getEntitlementAPIToken(authzClient);
// create an entitlement request
@@ -63,7 +64,8 @@ public class AuthorizationClientExample {
request.addPermission(permission);
- // send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user
+ // send the entitlement request to the server in order to
+ // obtain an RPT with all permissions granted to the user
EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request);
String rpt = response.getRpt();
@@ -79,7 +81,7 @@ public class AuthorizationClientExample {
}
private static void createResource() {
- // create a new instance based on the configuration define at keycloak-authz.json
+ // create a new instance based on the configuration defined in keycloak-authz.json
AuthzClient authzClient = AuthzClient.create();
// create a new resource representation with the information we want
@@ -111,8 +113,9 @@ public class AuthorizationClientExample {
// create a new instance based on the configuration define at keycloak-authz.json
AuthzClient authzClient = AuthzClient.create();
- // obtian a Entitlement API Token in order to get access to the Entitlement API.
- // this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement
+ // obtain an Entitlement API Token in order to get access to the Entitlement API.
+ // this token is just an access token issued to a client on behalf of an user
+ // with a scope = kc_entitlement
String eat = getEntitlementAPIToken(authzClient);
// create an entitlement request
@@ -123,7 +126,8 @@ public class AuthorizationClientExample {
request.addPermission(permission);
- // send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user
+ // send the entitlement request to the server in order to obtain a RPT
+ // with all permissions granted to the user
EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request);
String rpt = response.getRpt();
@@ -133,7 +137,7 @@ public class AuthorizationClientExample {
}
private static void obtainAllEntitlements() {
- // create a new instance based on the configuration define at keycloak-authz.json
+ // create a new instance based on the configuration defined in keycloak-authz.json
AuthzClient authzClient = AuthzClient.create();
// obtian a Entitlement API Token in order to get access to the Entitlement API.
diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
index 884f2e1..076f9af 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
@@ -171,6 +171,13 @@ public class PolicyEvaluationService {
collect.addAll(storeFactory.getResourceStore().findByScope(scope.getId()).stream().map(resource12 -> new ResourcePermission(resource12, asList(scope), resourceServer)).collect(Collectors.toList()));
}
+ collect.addAll(storeFactory.getResourceStore().findByResourceServer(resourceServer.getId()).stream().map(new Function<Resource, ResourcePermission>() {
+ @Override
+ public ResourcePermission apply(Resource resource) {
+ return new ResourcePermission(resource, resource.getScopes(), resourceServer);
+ }
+ }).collect(Collectors.toList()));
+
return collect.stream();
}
}).collect(Collectors.toList());
diff --git a/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java b/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java
index d320a64..4f0c64a 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java
@@ -132,7 +132,10 @@ public class PolicyEvaluationResponse {
scopes.add(scope);
}
if (evaluationResultRepresentation.getStatus().equals(Effect.PERMIT)) {
- result.getAllowedScopes().add(scope);
+ List<ScopeRepresentation> allowedScopes = result.getAllowedScopes();
+ if (!allowedScopes.contains(scope)) {
+ allowedScopes.add(scope);
+ }
}
}
}
diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
index 2ebed9f..998eff8 100644
--- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
+++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
@@ -986,13 +986,13 @@ authz-required=Required
authz-import-config.tooltip=Import a JSON file containing authorization settings for this resource server.
authz-policy-enforcement-mode=Policy Enforcement Mode
-authz-policy-enforcement-mode.tooltip=The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allow access to any resource.
+authz-policy-enforcement-mode.tooltip=The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allows access to any resource.
authz-policy-enforcement-mode-enforcing=Enforcing
authz-policy-enforcement-mode-permissive=Permissive
authz-policy-enforcement-mode-disabled=Disabled
authz-remote-resource-management=Remote Resource Management
-authz-remote-resource-management.tooltip=Should resources be managed remotely by the resource server? If false, resources can only be managed from this admin console.
+authz-remote-resource-management.tooltip=Should resources be managed remotely by the resource server? If false, resources can be managed only from this admin console.
authz-export-settings=Export Settings
authz-export-settings.tooltip=Export and download all authorization settings for this resource server.
@@ -1035,7 +1035,7 @@ authz-policy-logic.tooltip=The logic dictates how the policy decision should be
authz-policy-apply-policy=Apply Policy
authz-policy-apply-policy.tooltip=Specifies all the policies that must be applied to the scopes defined by this policy or permission.
authz-policy-decision-strategy=Decision Strategy
-authz-policy-decision-strategy.tooltip=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order to the overall decision be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order to the overall decision be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative.
+authz-policy-decision-strategy.tooltip=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order for the final decision to be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order for the final decision to be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative.
authz-policy-decision-strategy-affirmative=Affirmative
authz-policy-decision-strategy-unanimous=Unanimous
authz-policy-decision-strategy-consensus=Consensus
@@ -1059,15 +1059,15 @@ authz-policy-time-not-before.tooltip=Defines the time before which the policy MU
authz-policy-time-not-on-after=Not On or After
authz-policy-time-not-on-after.tooltip=Defines the time after which the policy MUST NOT be granted. Only granted if current date/time is before or equal to this value.
authz-policy-time-day-month=Day of Month
-authz-policy-time-day-month.tooltip=Defines the day of month before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the day of month before/equal which the policy MUST be granted. In this case, the policy would be granted if current day of month is between/equal the two values you provided.
+authz-policy-time-day-month.tooltip=Defines the day of month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current day of month is between or equal to the two values you provided.
authz-policy-time-month=Month
-authz-policy-time-month.tooltip=Defines the month before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the month before/equal which the policy MUST be granted. In this case, the policy would be granted if current month is between/equal the two values you provided.
+authz-policy-time-month.tooltip=Defines the month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current month is between or equal to the two values you provided.
authz-policy-time-year=Year
-authz-policy-time-year.tooltip=Defines the year before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the year before/equal which the policy MUST be granted. In this case, the policy would be granted if current year is between/equal the two values you provided.
+authz-policy-time-year.tooltip=Defines the year which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current year is between or equal to the two values you provided.
authz-policy-time-hour=Hour
-authz-policy-time-hour.tooltip=Defines the hour before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the hour before/equal which the policy MUST be granted. In this case, the policy would be granted if current hour is between/equal the two values you provided.
+authz-policy-time-hour.tooltip=Defines the hour which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current hour is between or equal to the two values you provided.
authz-policy-time-minute=Minute
-authz-policy-time-minute.tooltip=Defines the minute before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the minute before/equal which the policy MUST be granted. In this case, the policy would be granted if current minute is between/equal the two values you provided.
+authz-policy-time-minute.tooltip=Defines the minute which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current minute is between or equal to the two values you provided.
# Authz Drools Policy Detail
authz-add-drools-policy=Add Drools Policy
diff --git a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
index 72b6c43..f4f87aa 100644
--- a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
+++ b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
@@ -9,6 +9,7 @@ module.controller('ResourceServerCtrl', function($scope, realm, ResourceServer)
module.controller('ResourceServerDetailCtrl', function($scope, $http, $route, $location, $upload, $modal, realm, ResourceServer, client, AuthzDialog, Notifications) {
$scope.realm = realm;
$scope.client = client;
+ $scope.showAuthorizationTab = client.authorizationServicesEnabled;
ResourceServer.get({
realm : $route.current.params.realm,
@@ -82,6 +83,7 @@ module.controller('ResourceServerDetailCtrl', function($scope, $http, $route, $l
module.controller('ResourceServerResourceCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerResource, client) {
$scope.realm = realm;
$scope.client = client;
+ $scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.query = {
realm: realm.realm,
@@ -134,6 +136,7 @@ module.controller('ResourceServerResourceCtrl', function($scope, $http, $route,
module.controller('ResourceServerResourceDetailCtrl', function($scope, $http, $route, $location, realm, ResourceServer, client, ResourceServerResource, ResourceServerScope, AuthzDialog, Notifications) {
$scope.realm = realm;
$scope.client = client;
+ $scope.showAuthorizationTab = client.authorizationServicesEnabled;
ResourceServerScope.query({realm : realm.realm, client : client.id}, function (data) {
$scope.scopes = data;
@@ -265,6 +268,7 @@ module.controller('ResourceServerResourceDetailCtrl', function($scope, $http, $r
module.controller('ResourceServerScopeCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerScope, client) {
$scope.realm = realm;
$scope.client = client;
+ $scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.query = {
realm: realm.realm,
@@ -317,6 +321,7 @@ module.controller('ResourceServerScopeCtrl', function($scope, $http, $route, $lo
module.controller('ResourceServerScopeDetailCtrl', function($scope, $http, $route, $location, realm, ResourceServer, client, ResourceServerScope, AuthzDialog, Notifications) {
$scope.realm = realm;
$scope.client = client;
+ $scope.showAuthorizationTab = client.authorizationServicesEnabled;
var $instance = this;
@@ -426,6 +431,7 @@ module.controller('ResourceServerScopeDetailCtrl', function($scope, $http, $rout
module.controller('ResourceServerPolicyCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) {
$scope.realm = realm;
$scope.client = client;
+ $scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.policyProviders = [];
$scope.query = {
@@ -498,6 +504,7 @@ module.controller('ResourceServerPolicyCtrl', function($scope, $http, $route, $l
module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) {
$scope.realm = realm;
$scope.client = client;
+ $scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.policyProviders = [];
$scope.query = {
@@ -1200,6 +1207,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
$scope.realm = realm;
$scope.client = client;
+ $scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.decisionStrategies = ['AFFIRMATIVE', 'UNANIMOUS', 'CONSENSUS'];
$scope.logics = ['POSITIVE', 'NEGATIVE'];
@@ -1365,6 +1373,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
module.controller('PolicyEvaluateCtrl', function($scope, $http, $route, $location, realm, clients, roles, ResourceServer, client, ResourceServerResource, ResourceServerScope, User, Notifications) {
$scope.realm = realm;
$scope.client = client;
+ $scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.clients = clients;
$scope.roles = roles;
$scope.authzRequest = {};
diff --git a/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js b/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js
index 3bbd471..c015dfa 100755
--- a/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js
+++ b/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js
@@ -812,6 +812,7 @@ module.controller('ClientDetailCtrl', function($scope, realm, client, templates,
$scope.samlEncrypt = false;
$scope.samlForcePostBinding = false;
$scope.samlForceNameIdFormat = false;
+ $scope.showAuthorizationTab = client.authorizationServicesEnabled;
function updateProperties() {
if (!$scope.client.attributes) {
diff --git a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html
index a0d88c6..96d9ada 100755
--- a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html
+++ b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html
@@ -19,7 +19,7 @@
<a href="#/realms/{{realm.realm}}/clients/{{client.id}}/scope-mappings">{{:: 'scope' | translate}}</a>
<kc-tooltip>{{:: 'scope.tooltip' | translate}}</kc-tooltip>
</li>
- <li ng-class="{active: path[4] == 'authz'}" data-ng-show="client.authorizationServicesEnabled"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server">{{:: 'authz-authorization' | translate}}</a></li>
+ <li ng-class="{active: path[4] == 'authz'}" data-ng-show="showAuthorizationTab"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server">{{:: 'authz-authorization' | translate}}</a></li>
<li ng-class="{active: path[4] == 'revocation'}"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/revocation">{{:: 'revocation' | translate}}</a></li>
<!-- <li ng-class="{active: path[4] == 'identity-provider'}" data-ng-show="realm.identityFederationEnabled"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/identity-provider">Identity Provider</a></li> -->
<li ng-class="{active: path[4] == 'sessions'}" data-ng-show="!client.bearerOnly">