[keycloak-user] Incorrect UMA Policy Evaluation
Geoffrey Cleaves
geoff at opticks.io
Thu Dec 13 02:29:19 EST 2018
>From your description it sounds like a bug. I believe there's a setting
where you instruct KC to enforce permissions or not and if you don't select
enforce, the default is to grant permission. Make sure you've got the
correct.
You'll need to open a bug report on Jira with clear steps to reproduce the
problem.
On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina at sap.com wrote:
> Hi,
> I’m using the protection API to manage UMA policies for my Keycloak
> resources. However, I get false-positive results when requesting
> permissions for a resource via the token endpoint.
>
> Example:
> I have a resource with ID “dataset-42” and two scopes “view” and “delete”.
> I create a UMA policy granting my user “view” access to this resource. If I
> now call the token endpoint (as suggested in [1]) to obtain permissions for
> the “delete” scope by setting:
>
> response_mode=permissions
> permission=dataset-42#delete
>
> , I get the following (confusing) result:
>
> [{
> "scopes": ["view"],
> "rsid": "dataset-42",
> "rsname": "urn:atlas-api:resources:dataset:42"
> }]
>
> When setting “response_mode=decision”, I get:
>
> {
> "result": true
> }
>
> There is no policy that gives my user access to the “delete” scope
> anywhere, so shouldn’t I get a negative result here?
>
> Links:
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
>
> Thanks,
> Marco
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list