使用 dotnet sdk 即使使用默认的 js 策略,当我添加资源并将其链接到基于角色的权限时,我也无法再使用 KeycloakProtectionClient。我试过调试,但每次都返回错误的决定。此外,我将代码更改为具有“权限”类型的“response_mode”,以便我可以看到结果并返回:“{“error”:“access_denied”,“error_description”:“not_authorized”}”。我可以调用 Admin Api 并获得我的资源/范围,但这是一个无法扩展的 hack。
我觉得有一种适当的方式来堆叠权限,这样当在 VerifyAccessToResource 中调用以获取客户端的资源列表时,它将返回客户端在提供 response_type 权限时可以执行的所有操作,并且它将在 response_type 时正确验证提供了决定,但我似乎无处可去。
提前感谢任何建议/帮助。附上范围、资源、策略、权限和角色。
[
{
"name": "Blocks",
"type": "urn:co:resource:blocks",
"owner": {
"id": "aff7a98e-4402-4c63-99af-19927b7bfe9d",
"name": "co"
},
"ownerManagedAccess": true,
"attributes": {},
"_id": "79a1c4c7-b1b3-4f6e-b455-4e4baadd649d",
"uris": [
"/*"
],
"scopes": [
{
"id": "299937e5-73e0-4513-9b97-2e9ed3b61c95",
"name": "view",
"iconUri": ""
},
{
"id": "1ee55b71-7e6f-4b30-a50c-64a3a18af4ef",
"name": "edit",
"iconUri": ""
},
{
"id": "8c8d05d3-6d10-48cb-9b25-8665e60e5c9b",
"name": "delete",
"iconUri": ""
},
{
"id": "12037d09-97ad-4ecc-96ab-8616498f7902",
"name": "create",
"iconUri": ""
}
],
"icon_uri": ""
},
{
"name": "Units",
"type": "urn:co:resource:units",
"owner": {
"id": "aff7a98e-4402-4c63-99af-19927b7bfe9d",
"name": "co"
},
"ownerManagedAccess": true,
"attributes": {},
"_id": "e54612c3-5acd-435c-9ea4-07c7c25914ff",
"uris": [
"/*"
],
"scopes": [
{
"id": "299937e5-73e0-4513-9b97-2e9ed3b61c95",
"name": "view",
"iconUri": ""
},
{
"id": "1ee55b71-7e6f-4b30-a50c-64a3a18af4ef",
"name": "edit",
"iconUri": ""
},
{
"id": "8c8d05d3-6d10-48cb-9b25-8665e60e5c9b",
"name": "delete",
"iconUri": ""
},
{
"id": "12037d09-97ad-4ecc-96ab-8616498f7902",
"name": "create",
"iconUri": ""
}
],
"icon_uri": ""
}
]
[
{
"id": "730919c0-7840-4048-adc7-91110f9a3373",
"name": "BlocksPermission",
"description": "",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {}
},
{
"id": "46d8703b-9c0e-40b2-ba70-ad9ee6ff3253",
"name": "CoOidcClientPermission",
"description": "",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {}
},
{
"id": "bcc89740-e256-45bf-aeee-a9c7c3e15ded",
"name": "CoOidcClientPolicy",
"description": "",
"type": "client",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"clients": "[\"aff7a98e-4402-4c63-99af-19927b7bfe9d\"]"
}
},
{
"id": "cfe8544d-1ffc-4d1e-948c-d1f779123f22",
"name": "ContributorRolePolicy",
"description": "",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"fbd13ea1-cb09-464a-9c9b-0d20d56c8a5c\",\"required\":true}]"
}
},
{
"id": "211b5959-506a-4fda-bfd3-66f732e292c6",
"name": "GuestRolePolicy",
"description": "",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"fe3da72c-ad1c-412b-a59e-82a6ee8fc0d7\",\"required\":true}]"
}
},
{
"id": "a0f8516a-70e6-4e9c-ba62-da6c0bf6b527",
"name": "UnitsPermission",
"description": "",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {}
}
]
科里