Module: Keycloak::API::ProtectionResources

Extended by:

ActiveSupport::Concern

Includes:

Concerns::APIUtil

Included in:

Client

Defined in:

lib/keycloak/api/protection_resources.rb

Instance Method Summary

• #granted_by_server(permissions, access_token, extra_claims: {}) ⇒ Boolean

  use this when you are mainly interested in either the overall decision or the permissions granted by the server, this is much expensive than decoding JWT cuz this asks from keycloak server every time.

Methods included from Concerns::APIUtil

#admin_realm_url, #delete, #get, #post, #put, #realm_url

Instance Method Details

#granted_by_server(permissions, access_token, extra_claims: {}) ⇒ Boolean

use this when you are mainly interested in either the overall decision or the permissions granted by the server, this is much expensive than decoding JWT cuz this asks from keycloak server every time. Always use JWT unless there is a compelling reason to use this.

# File 'lib/keycloak/api/protection_resources.rb', line 20

def granted_by_server(permissions, access_token, extra_claims: {})
  url = admin_realm_url + "/protocol/openid-connect/token"
  params = {
    grant_type: "urn:ietf:params:oauth:grant-type:uma-ticket",
    audience: @realm,
    permission: permissions,
    response_mode: "decision"
  }
  if !extra_claims.empty?
    params[:claim_token] = Base64.strict_decode64(extra_claims.to_json)
    params[:claim_token_format] = "urn:ietf:params:oauth:token-type:jwt"
  end
  res = JSON.parse post(url, params,
    headers: {content_type: :json, authorization: access_token.authorization},
    try_refresh_token: false
  )
  res["result"]
rescue RestClient::Forbidden, RestClient::Unauthorized
  false
end