I create a client with Authorization Enabled activated.
I create the two scopes
- GET
- POST
I created two resources:
- View Product with uri: /api/products and scope GET
- Create Product with uri /api/products and scope POST
I create two role policy
- All policy for realm roles like: admin, user
- Admin policy for realm roles: admin
I created two permissions
- View product permission for View Product resource with All policy policy
- Create product permission for Create Product resource with Admin policy policy
I create two users:
- admin user with admin role
- user user with user role
The endpoints are exposed with springboot using this config:
server:
port: 8084
#Keycloak authorization properties
keycloak:
realm: poc
resource: business-permission-api
auth-server-url: http://localhost:8080/auth
ssl-required: external
credentials:
secret: 4f69d3ff-bb14-46b5-b6cd-f7cf23a488a0
use-resource-role-mappings: true
bearer-only: true
security-constraints:
- auth-roles:
- "*"
security-collections:
- name:
patterns:
- /*
policy-enforcer-config:
enforcement-mode: ENFORCING
http-method-as-scope: true
Only the **View Product ** resource works correctly, because admin and user could obtain data, but the Create Product resource not because any user could create products and admin user must.
The strange it’s that if I remove the View Product resource then the Create Product resource works. That is if only exist a resource at the same time works with any respource but if create two resources at the same time only works correctly one of then.