[keycloak-user] Permission with multiple scopes - what does it mean exactly?
Pedro Igor Silva
psilva at redhat.com
Tue Dec 4 12:04:58 EST 2018
Hi,
The scope set on resource does not necessarily mean access to the
resource/scopes. Access is granted depending on the policies associated
with the permissions you have for both resources and scopes.
If you could provide more details on how to reproduce #2, I appreciate.
However, if the permission in #2 is denying access it will also be denied
for the resource scope.
On Tue, Dec 4, 2018 at 2:42 PM cen <imbacen at gmail.com> wrote:
> Hi.
>
> in UMA authorization, when adding a scope Permission you can specify a
> set of scopes. What a "set" means exactly is not very well documented.
> By trial and error I figured out that:
>
> 1. Resource with single scope and corresponding permission with same
> (single) scope works as expected.
>
> 2. Resource with single scope and permission with multiple scopes, of
> which one of them is the resource scope does not work (auth not granted).
>
>
> Scope set on resource to me means: this is all the things the resource
> owner is allowed to do with it.
>
> Scope set on permission to me means: apply this policies if either of
> these scopes is needed. That does not seem to be the case tho, according
> to point #2.
>
>
> Can someone shed some light how scope set on resource resolves against
> permission scope set?
>
>
> Best regards, cen
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list