Module: Keycloak::API::ProtectionResources

Extended by:
ActiveSupport::Concern
Includes:
Concerns::APIUtil
Included in:
Client
Defined in:
lib/keycloak/api/protection_resources.rb

Instance Method Summary collapse

Methods included from Concerns::APIUtil

#admin_realm_url, #delete, #get, #post, #put, #realm_url

Instance Method Details

#granted_by_server(permissions, access_token, extra_claims: {}) ⇒ Boolean

use this when you are mainly interested in either the overall decision or the permissions granted by the server, this is much expensive than decoding JWT cuz this asks from keycloak server every time. Always use JWT unless there is a compelling reason to use this.

Parameters:

Returns:

  • (Boolean)

    true if the permissions granted or false when forbidden



20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'lib/keycloak/api/protection_resources.rb', line 20

def granted_by_server(permissions, access_token, extra_claims: {})
  url = admin_realm_url + "/protocol/openid-connect/token"
  params = {
    grant_type: "urn:ietf:params:oauth:grant-type:uma-ticket",
    audience: @realm,
    permission: permissions,
    response_mode: "decision"
  }
  if !extra_claims.empty?
    params[:claim_token] = Base64.strict_decode64(extra_claims.to_json)
    params[:claim_token_format] = "urn:ietf:params:oauth:token-type:jwt"
  end
  res = JSON.parse post(url, params,
    headers: {content_type: :json, authorization: access_token.authorization},
    try_refresh_token: false
  )
  res["result"]
rescue RestClient::Forbidden, RestClient::Unauthorized
  false
end