我使用两个客户端配置 keycloak (quay.io/keycloak/keycloak:24.0.2):
我还将我的 my-resource-server 设置为资源服务器并这样设置:
这是我的整体配置:
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "transaction",
"ownerManagedAccess": false,
"displayName": "",
"attributes": {},
"_id": "e61bc461-85d4-4390-af7b-d594c5f4c6d7",
"uris": [],
"scopes": [
{
"name": "upload"
}
],
"icon_uri": ""
}
],
"policies": [
{
"id": "c2fec000-591d-41e2-94e7-6062bca6ca5b",
"name": "store-clients",
"description": "",
"type": "client",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"clients": "[\"store-700\"]"
}
},
{
"id": "82cdb7dd-a70b-4272-abbd-f9d941fbdd27",
"name": "permission-700",
"description": "",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"transaction\"]",
"scopes": "[\"upload\"]",
"applyPolicies": "[\"store-clients\"]"
}
}
],
"scopes": [
{
"id": "9b14076d-17a9-42a8-a8ac-a0c98dc253ca",
"name": "upload",
"iconUri": ""
}
],
"decisionStrategy": "UNANIMOUS"}
当我尝试在“评估”选项卡中对此进行评估时,我得到“拒绝”:
我不明白的是为什么我会被拒绝?如果策略允许该客户端,为什么策略会投票拒绝授权请求?
Deny
是有道理的,因为客户
store-700
与用户service-account-store-700
没有任何关系。因此您需要创建用户策略并将其分配给用户是service-account-store-700
。
user-policy
添加到
permission-700
权限。
并将决策策略从 Unanimous
更改为 Affirmative
The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order for the final decision to be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order for the final decision to be also positive.
评估将为
Permit
,因为用户分配给
user-policy
并且 permission-700
拥有它,并且 Affirmative
策略将做出“许可”决定。