[keycloak-user] Unspecified behavior of token endpoint when obtaining permissions

Wed Nov 14 15:34:47 EST 2018

I see. As I mentioned before, the specific resource (owned by a different
user) is not processed by the policy evaluation engine.

For this particular case, if the user is granted with the typed resource
you could just assume that she/he can fetch any resource from the database
with the same logical type, right ?

On Wed, Nov 14, 2018 at 4:44 PM Lamina, Marco <marco.lamina at sap.com> wrote:

> The permission to my resources is not given using the UMA flow, but by
> policies and permissions that I defined manually.
>
> For example, I have a resource-type-based permission that combines two
> policies with the “affirmative” strategy:
>
>    1. “User is resource owner” – JS-based policy
>    2. “User is admin” – role-based policy
>
>
>
> My assumption was that this will grant full access to any resources of
> that type if a user is either its owner or is assigned the ‘admin’ role.
> Using the evaluation tool, I can verify that admins have permission to
> access any resource of that type with any scope. But still, these resources
> do not show up in the permissions list I receive from the token endpoint.
>
>
>
> For context: I need this type of request to query my database for all
> objects that a given token has access to. Maybe I’m going about this the
> wrong way? Would love to hear your suggestions!
>
>
>
>
>
> *From: *Pedro Igor Silva <psilva at redhat.com>
> *Date: *Wednesday, November 14, 2018 at 4:04 AM
> *To: *"Lamina, Marco" <marco.lamina at sap.com>
> *Cc: *keycloak-user <keycloak-user at lists.jboss.org>
> *Subject: *Re: [keycloak-user] Unspecified behavior of token endpoint
> when obtaining permissions
>
>
>
> When asking for *all* permissions a user has, the policy evaluation engine
> resolves the resources as follows:
>
>
>
> 1) Get all resources owned by the user
>
> 2) Get all resources owned by the resource server
>
> 3) Get all resources granted by another user to the user based on UMA and
> permission tickets.
>
>
>
> NOTE: when doing an "all" request we don't fetch all resources managed by
> the server.
>
>
>
> If you are not getting the resources owned by other users is probably
> because they were not granted based on permission tickets (UMA flow). I
> would suggest you to get the id for one of these resources and send an
> authorization request using the resource id to see what you get.
>
>
>
> Regards.
>
> Pedro Igor
>
>
>
> On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco <marco.lamina at sap.com>
> wrote:
>
> Hi,
> I am trying to use Keycloak’s token endpoint to obtain a list of all
> resources and the respective scopes that a user has permission to access.
> However, the behavior I am observing does not match what is described in
> the documentation (Link [1]). I am using the token endpoint as shown in
> Link [2].
>
> Expected behavior:
> Token endpoint returns a list of all resources and scopes that the token’s
> user has permission to access.
>
> Observed behavior:
> Token endpoint only returns resources that are owned by either the token’s
> user or the resource server itself. Resources owned by other users are not
> listed, even though the token’s user has permission to access them.
>
> Is that a bug or expected behavior?
>
> Links:
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
> [2]
> https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545
>
> Thanks,
> Marco
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>