[keycloak-user] Incorrect UMA Policy Evaluation

Geoffrey Cleaves geoff at opticks.io
Thu Dec 13 13:28:42 EST 2018 

Perhaps it's a bug introduced in the release that came out a few days ago.
Not that many people use it, and I get the impression that not many people
use Uma policy evaluation.

On Thu, Dec 13, 2018, 18:36 Lamina, Marco <marco.lamina at sap.com wrote:

> Just to be 100% certain, I created a test resource with its own resource
> type and tried again. It shows the same behavior. Keycloak’s policy
> enforcement mode is set to “enforcing”.
>
> I will create a ticket. However, if it ends up being a bug, wouldn’t that
> be a fairly substantial flaw in the policy evaluation engine that should be
> causing problems all over the place in Keycloak systems out there? I’m a
> bit puzzled.
>
>
>
>
>
> *From: *Geoffrey Cleaves <geoff at opticks.io>
> *Date: *Wednesday, December 12, 2018 at 11:32 PM
> *To: *"Lamina, Marco" <marco.lamina at sap.com>
> *Cc: *keycloak-user <keycloak-user at lists.jboss.org>
> *Subject: *Re: [keycloak-user] Incorrect UMA Policy Evaluation
>
>
>
> Also, if you have a resource level permission which grants access, I think
> that includes all scopes, so look into that.
>
>
>
> On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff at opticks.io wrote:
>
> From your description it sounds like a bug. I believe there's a setting
> where you instruct KC to enforce permissions or not and if you don't select
> enforce, the default is to grant permission. Make sure you've got the
> correct.
>
>
>
> You'll need to open a bug report on Jira with clear steps to reproduce the
> problem.
>
>
>
> On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina at sap.com wrote:
>
> Hi,
> I’m using the protection API to manage UMA policies for my Keycloak
> resources. However, I get false-positive results when requesting
> permissions for a resource via the token endpoint.
>
> Example:
> I have a resource with ID “dataset-42” and two scopes “view” and “delete”.
> I create a UMA policy granting my user “view” access to this resource. If I
> now call the token endpoint (as suggested in [1]) to obtain permissions for
> the “delete” scope by setting:
>
> response_mode=permissions
> permission=dataset-42#delete
>
> , I get the following (confusing) result:
>
> [{
>         "scopes": ["view"],
>         "rsid": "dataset-42",
>         "rsname": "urn:atlas-api:resources:dataset:42"
>     }]
>
> When setting “response_mode=decision”, I get:
>
> {
>     "result": true
> }
>
> There is no policy that gives my user access to the “delete” scope
> anywhere, so shouldn’t I get a negative result here?
>
> Links:
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
>
> Thanks,
> Marco
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list