Our team is looking to use Policies/Permissions in Keycloak to grant scopes to a user when they log in, but only if they have a specific role.
I've gone through a couple tutorials and was successful in setting it up and testing it using the Evaluate tab (under Authorization). If my user has the specified role in my policy, the scope shows up in the token. When I remove the role, the scope does not show up.
That's all great. Our problem is that it doesn't work when I make an authentication code flow call using the same client (i.e. not using the evaluate tab). I never get any authorization section in my token at all...this only appears when I use the Evaluate tab.
I'll note that I've tried auth code flow calls requesting the scope as well as requesting the resource and also not requesting them. Same result...no authorization section at all in the generated token.
Am I missing something on how this functionality is supposed to work? Where could my gap be? TIA!
The token you obtain in the Evaluate tab is not an access token, it's an authorization token that Keycloak will issue to clients when they ask for permissions.
The access token you obtain via the authorization code flow will not contain permissions.
When using Keycloak Authorization Services, your clients will obtain permissions by requesting an authorization token from the Authorization REST API (cf: https://www.keycloak.org/docs/latest/authorization_services/#_service_obtaining_permissions)
You can do that manually or instead use a policy enforcer which is integrated in the Keycloak adapters :
There are lots of examples of what you want to achieve in the keycloak quickstart github repo. (folders starting by app-authz-*).