You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The evaluation available in JavaScript policies is very restricted. Concretely I wanted to create a "DebySelfElevation" policy which matched the id of the context identity() with the userId being added to a group. I could for example have solved this by parsing the requestPath, but that is not available, as far as I can tell.
Please consider add the KeycloakSession to the evaluation context or a subset there of.
Discussion
No response
Motivation
I will greatly enhance what's possible to achieve in javascript policies
Details
Adding this data to $evaluation, seem like a minor task. setXXX() functions should not be available and as such there doesnæt seem to be any major security vectors, which arise from this. Since JavaScripts policies are provided as jar files, this is also not something that users will be able to exploit in any meaningful way with regards to leakage of PII.
The text was updated successfully, but these errors were encountered:
Description
The evaluation available in JavaScript policies is very restricted. Concretely I wanted to create a "DebySelfElevation" policy which matched the id of the context identity() with the userId being added to a group. I could for example have solved this by parsing the requestPath, but that is not available, as far as I can tell.
Please consider add the KeycloakSession to the evaluation context or a subset there of.
Discussion
No response
Motivation
I will greatly enhance what's possible to achieve in javascript policies
Details
Adding this data to $evaluation, seem like a minor task. setXXX() functions should not be available and as such there doesnæt seem to be any major security vectors, which arise from this. Since JavaScripts policies are provided as jar files, this is also not something that users will be able to exploit in any meaningful way with regards to leakage of PII.
The text was updated successfully, but these errors were encountered: