Use admin console correctly in KeycloakIdentity

Fixes: keycloak#29688 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
miquelsi · May 21, 2024 · 65fcd44 · 65fcd44
1 parent bb5f308
commit 65fcd44
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 11 deletions.
diff --git a/js/apps/admin-ui/cypress/e2e/client_authorization_test.spec.ts b/js/apps/admin-ui/cypress/e2e/client_authorization_test.spec.ts
@@ -195,7 +195,7 @@ describe("Client authentication subtab", () => {
     );
   });
 
-  describe.skip("Client authorization tab access for view-realm-authorization", () => {
+  describe("Client authorization tab access for view-realm-authorization", () => {
     const clientId = "realm-view-authz-client-" + uuid();
 
     beforeEach(async () => {
@@ -241,11 +241,11 @@ describe("Client authentication subtab", () => {
       loginPage.logIn("test-view-authz-user", "password");
       keycloakBefore();
 
-      sidebarPage
-        .waitForPageLoad()
-        .goToRealm("realm-view-authz")
-        .waitForPageLoad()
-        .goToClients();
+      sidebarPage.waitForPageLoad().goToRealm("realm-view-authz");
+
+      cy.reload();
+
+      sidebarPage.waitForPageLoad().goToClients();
 
       listingPage
         .searchItem(clientId, true, "realm-view-authz")

diff --git a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java
@@ -52,9 +52,10 @@ public UIRealmsResource(KeycloakSession session, AdminPermissionEvaluator auth)
             )}
     )
     public Stream<RealmNameRepresentation> getRealms() {
+        final RealmsPermissionEvaluator eval = AdminPermissions.realms(session, auth.adminAuth());
+
         Stream<RealmNameRepresentation> realms = session.realms().getRealmsStream()
                 .filter(realm -> {
-                    RealmsPermissionEvaluator eval = AdminPermissions.realms(session, auth.adminAuth());
                     return eval.canView(realm) || eval.isAdmin(realm);
                 })
                 .map((RealmModel realm) -> {

diff --git a/...ices/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java b/...ices/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
@@ -97,12 +97,17 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
     }
 
     private void initIdentity(KeycloakSession session, AdminAuth auth) {
-        if (Constants.ADMIN_CLI_CLIENT_ID.equals(auth.getToken().getIssuedFor())
-                || Constants.ADMIN_CONSOLE_CLIENT_ID.equals(auth.getToken().getIssuedFor())) {
-            this.identity = new UserModelIdentity(auth.getRealm(), auth.getUser());
+        final String issuedFor = auth.getToken().getIssuedFor();
 
+        if (Constants.ADMIN_CLI_CLIENT_ID.equals(issuedFor) || Constants.ADMIN_CONSOLE_CLIENT_ID.equals(issuedFor)) {
+            this.identity = new UserModelIdentity(auth.getRealm(), auth.getUser());
         } else {
-            this.identity = new KeycloakIdentity(auth.getToken(), session);
+            ClientModel client  = session.clients().getClientByClientId(auth.getRealm(), issuedFor);
+            if (client != null && Boolean.parseBoolean(client.getAttribute(Constants.SECURITY_ADMIN_CONSOLE_ATTR))) {
+                this.identity = new UserModelIdentity(auth.getRealm(), auth.getUser());
+            } else {
+                this.identity = new KeycloakIdentity(auth.getToken(), session);
+            }
         }
     }