Prosoft Git

keycloak-uncached

[KEYCLOAK-7543] - Policy enforcer should not delegate decisions

6/11/2018 8:17:40 AM
Pedro Igor

Pedro Igor

Commit: db60abc

Tree: 1f22322

Parents: f55c93a

Changes

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java 21(+8 -13)

Details

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java 21(+8 -13) 

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
index 67149bd..ba46088 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
@@ -140,7 +140,7 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
     }
 
     private AccessToken requestAuthorizationToken(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade httpFacade) {
-        if (getPolicyEnforcer().getDeployment().isBearerOnly() || (isBearerAuthorization(httpFacade) && getEnforcerConfig().getUserManagedAccess() != null)) {
+        if (getEnforcerConfig().getUserManagedAccess() != null) {
             return null;
         }
 
@@ -151,20 +151,15 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
             AccessToken accessToken = securityContext.getToken();
             AuthorizationRequest authzRequest = new AuthorizationRequest();
 
-            if (getEnforcerConfig().getUserManagedAccess() != null) {
-                String ticket = getPermissionTicket(pathConfig, methodConfig, getAuthzClient(), httpFacade);
-                authzRequest.setTicket(ticket);
-            } else {
-                if (isBearerAuthorization(httpFacade) || accessToken.getAuthorization() != null) {
-                    authzRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
-                }
+            if (isBearerAuthorization(httpFacade) || accessToken.getAuthorization() != null) {
+                authzRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
+            }
 
-                Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade);
+            Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade);
 
-                if (!claims.isEmpty()) {
-                    authzRequest.setClaimTokenFormat("urn:ietf:params:oauth:token-type:jwt");
-                    authzRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(claims)));
-                }
+            if (!claims.isEmpty()) {
+                authzRequest.setClaimTokenFormat("urn:ietf:params:oauth:token-type:jwt");
+                authzRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(claims)));
             }
 
             if (accessToken.getAuthorization() != null) {

Bonobo Git Server (6.3.0.632) © 2015 Jakub Chodounský · Official Page · Github