[keycloak-user] Incorrect UMA Policy Evaluation

Lamina, Marco marco.lamina at sap.com
Thu Dec 13 12:36:45 EST 2018 

Just to be 100% certain, I created a test resource with its own resource type and tried again. It shows the same behavior. Keycloak’s policy enforcement mode is set to “enforcing”.
I will create a ticket. However, if it ends up being a bug, wouldn’t that be a fairly substantial flaw in the policy evaluation engine that should be causing problems all over the place in Keycloak systems out there? I’m a bit puzzled.


From: Geoffrey Cleaves <geoff at opticks.io>
Date: Wednesday, December 12, 2018 at 11:32 PM
To: "Lamina, Marco" <marco.lamina at sap.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation

Also, if you have a resource level permission which grants access, I think that includes all scopes, so look into that.

On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff at opticks.io<mailto:geoff at opticks.io> wrote:
From your description it sounds like a bug. I believe there's a setting where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct.

You'll need to open a bug report on Jira with clear steps to reproduce the problem.

On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina at sap.com<mailto:marco.lamina at sap.com> wrote:
Hi,
I’m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint.

Example:
I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA policy granting my user “view” access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the “delete” scope by setting:

response_mode=permissions
permission=dataset-42#delete

, I get the following (confusing) result:

[{
        "scopes": ["view"],
        "rsid": "dataset-42",
        "rsname": "urn:atlas-api:resources:dataset:42"
    }]

When setting “response_mode=decision”, I get:

{
    "result": true
}

There is no policy that gives my user access to the “delete” scope anywhere, so shouldn’t I get a negative result here?

Links:
[1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions

Thanks,
Marco

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list