Keycloak role check policy - only whitelisted resources (endpoints) are allowed

[mayorova]

I noticed the following behavior in the current implementation of the Keycloak role check policy:

It looks like when "whitelist" type is used, ALL endpoints you have configured would need to have rules defined, otherwise authorization fails.

For example, if I have a number of endpoints endpoints, say, /one, /two, /three, and I don't care about roles for these ones - I just authorize normally (using mapping rules and rate limits). But then I also have /admin endpoint for which I want to check if the admin role appears in the JWT (as a realm role, for example).

If I configure "whitelist" for resource /admin with the realm role admin, all other endpoints will fail. It looks like this is the desired behavior (spec). But to me it seems quite limited, as it obliges me to duplicate all mapping rules in the role check policy configuration, even if I don't care about the roles JWT token has for these endpoints.

@y-tabata @tmogi001 Is this how you expect the policy to work?

[y-tabata]

@mayorova Yes, it is. If you configure "whitelist", you need to configure all endpoints. When you want clients to access limited endpoints, or you don't want clients to access not-managed endpoints like a new endpoint for test or internal endpoints, you should use "whitelist".

In your usecase, you should use "blacklist", I think. Preparing the non-admin role like member, then you can configure as follows.

{
  "scopes": [
    {
      "realm_roles": [ { "name": "member" } ],
      "resource": "/admin"
    }
  ],
  "type": "blacklist"
}

[davidor]

Closing as the doubt was clarified.