[keycloak-user] Unspecified behavior of token endpoint when obtaining permissions
Pedro Igor Silva
psilva at redhat.com
Wed Nov 14 07:03:52 EST 2018
When asking for *all* permissions a user has, the policy evaluation engine
resolves the resources as follows:
1) Get all resources owned by the user
2) Get all resources owned by the resource server
3) Get all resources granted by another user to the user based on UMA and
permission tickets.
NOTE: when doing an "all" request we don't fetch all resources managed by
the server.
If you are not getting the resources owned by other users is probably
because they were not granted based on permission tickets (UMA flow). I
would suggest you to get the id for one of these resources and send an
authorization request using the resource id to see what you get.
Regards.
Pedro Igor
On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco <marco.lamina at sap.com> wrote:
> Hi,
> I am trying to use Keycloak’s token endpoint to obtain a list of all
> resources and the respective scopes that a user has permission to access.
> However, the behavior I am observing does not match what is described in
> the documentation (Link [1]). I am using the token endpoint as shown in
> Link [2].
>
> Expected behavior:
> Token endpoint returns a list of all resources and scopes that the token’s
> user has permission to access.
>
> Observed behavior:
> Token endpoint only returns resources that are owned by either the token’s
> user or the resource server itself. Resources owned by other users are not
> listed, even though the token’s user has permission to access them.
>
> Is that a bug or expected behavior?
>
> Links:
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
> [2]
> https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545
>
> Thanks,
> Marco
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list