[keycloak-user] Why scope permission denial affects the whole resource avaiability?
Bruno Oliveira
bruno at abstractj.org
Thu Jul 7 08:54:57 EDT 2016
Good morning, I'm not sure if I follow you on this, but if
you look at OIDC spec[1], scope is required. Plus, there's
some explanation here[2].
I hope it helps.
[1] - http://openid.net/specs/openid-connect-core-1_0.html
[2] - https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/roles/client-scope.html
On 2016-07-04, Artem Voskoboynick wrote:
> Looks I've clarified the problem:
> A resource with scopes won't be permitted if there are no permitted scopes.
>
> This is a strange behavior - if there are no permitted scopes, the resource
> should still be available, it just doesn't have any additional actions
> (scopes) permitted.
> In support, if you take a resource without scopes, the resource is
> available (given all resource permissions are permitted). But following the
> current logic Keycloak handles scopes, the resource shouldn't be available
> then, since there are no available scopes.
>
> Now, the only solution is to create a dummy scope and always assign it to
> resources, so that they don't get blocked when no other scopes are
> available.
>
> I think, this behavior should be changed.
> What do you think?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
PGP: 0x84DC9914
More information about the keycloak-user
mailing list