Policy Enforcer consumes body if a Claim extracts value from Request body and results in an error in the Java application
See original GitHub issueDescribe the bug
In our Spring Boot application we try to retrieve a value from the request body to evaluate it in our Javascript Policy.
We are able to extract the value from the request body as explained in the documentation via:
"claim-from-json-body-object": "{request.body['/a/b/c']}"
.
After Keycloak evaluation succeeds we get a 400 Bad Request error in Spring Boot as the request body is null. The behavior was also described on Stack overflow a few months ago.
Version
18
Expected behavior
The Keycloak Policy Enforcer extracts the desired value from the request body, the evaluation succeeds and afterwards the body is still available for further processing to the Spring Boot application.
Actual behavior
The Policy Enforcer retrieves the request body and consumes it. Afterwards the body is no longer available in Spring Boot and the result is a 400 Bad Request error.
How to Reproduce?
- add configuration to a Spring Boot application to retrieve values from a request body, e.g.:
claimInformationPointConfig.claims[user.id]={request.body['/userId']}
- create a Javascript Policy that retrieves the value
- create an Endpoint in the Java Application that is secured by the Policy
Anything else?
The behavior was also described on Stack overflow a few months ago.
Issue Analytics
- State:
- Created a year ago
- Comments:7 (2 by maintainers)
Top GitHub Comments
Hey Pedro, I have been looking into it with a colleague and we found a solution to make the body readable multiple times with all the subsequent valves/filters. However, as a new sprint started we did not have the time yet to integrate it into the Keycloak Adapter or write any tests. I will follow the discussion around the adapter deprecation though. Thank you for your help!
Hey @robinhh, it was mentioned by Pedro (@pedroigor) that there is a discussion about adapter deprecation in this ticket: https://github.com/keycloak/keycloak/discussions/11681
However, the discussion there also stopped.