[keycloak-user] Incorrect UMA Policy Evaluation
Lamina, Marco
marco.lamina at sap.com
Wed Dec 12 19:21:55 EST 2018
Hi,
I’m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint.
Example:
I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA policy granting my user “view” access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the “delete” scope by setting:
response_mode=permissions
permission=dataset-42#delete
, I get the following (confusing) result:
[{
"scopes": ["view"],
"rsid": "dataset-42",
"rsname": "urn:atlas-api:resources:dataset:42"
}]
When setting “response_mode=decision”, I get:
{
"result": true
}
There is no policy that gives my user access to the “delete” scope anywhere, so shouldn’t I get a negative result here?
Links:
[1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
Thanks,
Marco
More information about the keycloak-user
mailing list