fix: fall back to RBAC when API key auth lacks Keycloak token (#6091)

haonanan · web-flow · commit fa83853a0921 · 2026-03-13T10:47:53.000+02:00
Signed-off-by: haonanan &lt;89837754+haonanan@users.noreply.github.com&gt;
diff --git a/ee/identitymanager/identity_managers/keycloak/keycloak_authverifier.py b/ee/identitymanager/identity_managers/keycloak/keycloak_authverifier.py
@@ -346,6 +346,10 @@ def _authorize(self, authenticated_entity: AuthenticatedEntity) -> None:
         if self.keycloak_multi_org:
             return super()._authorize(authenticated_entity)
 
+        # API key auth does not carry a Keycloak token; fall back to RBAC
+        if not getattr(authenticated_entity, "token", None):
+            return super()._authorize(authenticated_entity)
+
         # for single tenant Keycloaks, use Keycloak's UMA to authorize
         try:
             permission = UMAPermission(
@@ -369,6 +373,10 @@ def _authorize(self, authenticated_entity: AuthenticatedEntity) -> None:
     def authorize_resource(
         self, resource_type, resource_id, authenticated_entity: AuthenticatedEntity
     ) -> None:
+        # API key auth does not carry a Keycloak token; skip per-resource UMA check
+        if not getattr(authenticated_entity, "token", None):
+            return
+
         # use Keycloak's UMA to authorize
         try:
             permission = UMAPermission(
