[keycloak-user] Incorrect UMA Policy Evaluation
Geoffrey Cleaves
geoff at opticks.io
Thu Dec 13 02:31:22 EST 2018
Also, if you have a resource level permission which grants access, I think
that includes all scopes, so look into that.
On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff at opticks.io wrote:
> From your description it sounds like a bug. I believe there's a setting
> where you instruct KC to enforce permissions or not and if you don't select
> enforce, the default is to grant permission. Make sure you've got the
> correct.
>
> You'll need to open a bug report on Jira with clear steps to reproduce the
> problem.
>
> On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina at sap.com wrote:
>
>> Hi,
>> I’m using the protection API to manage UMA policies for my Keycloak
>> resources. However, I get false-positive results when requesting
>> permissions for a resource via the token endpoint.
>>
>> Example:
>> I have a resource with ID “dataset-42” and two scopes “view” and
>> “delete”. I create a UMA policy granting my user “view” access to this
>> resource. If I now call the token endpoint (as suggested in [1]) to obtain
>> permissions for the “delete” scope by setting:
>>
>> response_mode=permissions
>> permission=dataset-42#delete
>>
>> , I get the following (confusing) result:
>>
>> [{
>> "scopes": ["view"],
>> "rsid": "dataset-42",
>> "rsname": "urn:atlas-api:resources:dataset:42"
>> }]
>>
>> When setting “response_mode=decision”, I get:
>>
>> {
>> "result": true
>> }
>>
>> There is no policy that gives my user access to the “delete” scope
>> anywhere, so shouldn’t I get a negative result here?
>>
>> Links:
>> [1]
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
>>
>> Thanks,
>> Marco
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
More information about the keycloak-user
mailing list