[keycloak-user] Probable bug in permissions evaluation
David Erie (US)
David.Erie at datapath.com
Thu Oct 11 16:30:08 EDT 2018
Hello,
I believe I found a bug in the permissions evaluation engine, and I didn't see anything in JIRA about this. I am running Keycloak 4.3.0.Final.
I configured some permissions such that a user would have access to the read scope on one resource, but not on another. When I evaluate permissions on each of the resources and read scope by themselves, they are properly granted and denied, as expected. However, when I evaluate both resources at the same time, the result is wrong, and it depends on the order in which I add the resources. If I add the allowed resource first, then they are both granted, but if I add the forbidden resource first, then they are both denied. What I expected is that one is allowed and the other is denied, regardless of the order I add them to the request.
I have verified this in the admin console and the REST and Java APIs, and it produces the same broken result.
Unless I'm missing something, this is a critical bug that would impact our planned usage of Keycloak.
Thank you,
Dave
More information about the keycloak-user
mailing list