[keycloak-user] Problem understanding authorization grants

Pedro Igor Silva psilva at redhat.com
Fri Sep 28 12:22:22 EDT 2018 

Hi,

What permissions did you actually get in the token ? Wondering if this is
an issue with the evaluation tool report.

Regards.
Pedro Igor

On Fri, Sep 28, 2018 at 1:03 PM Ulrik Sjölin <ulrik.sjolin at gmail.com> wrote:

> Hello,
>
> My name is Ulrik Sjölin and where I work we are currently looking into
> Keycloak (4.4). I have a question regarding permissions and policy
> evaluation.
>
> My very simple setup is like this:
>
> User Alice owns Alice_Resource which has 5 scopes (Admin, Peek, Read,
> Write, Delete)
> User JDoe owns JDoe_Resource which has the same scopes as Alice_Resource
> User JDoe has given user Alice Peek, Read, Write access to JDoe_Resource
> via the Keycloak web UI.
>
> There a 5 scope-based permissions, one for each scope, that allows the
> owner & admin each scope (Only Owner and Administrators Policy). My idea
> here is that the owner of a resource
> should not have to add the permissions on himself to be able to access the
> resource.
>
> I now run evaluate and I get a surprising result:
>
> Input:
> User JDoe
> Resource: JDoe
> Scope: Any
>
> Output:
> Result
> PERMIT
> Scopes
> Delete
> Admin
> Policies
> Resource owner (jdoe at keycloak.org) grants access to alice at keycloak.org
> decision was DENY by UNANIMOUS decision. Denied Scopes: Read, Write, Peek.
> Read Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
> Granted Scopes: Read.
> Only Owner and Administrators Policy voted to PERMIT .
> Write Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
> Granted Scopes: Write.
> Only Owner and Administrators Policy voted to PERMIT .
> Delete Entitiy Resource Permission decision was PERMIT by UNANIMOUS
> decision. Granted Scopes: Delete.
> Only Owner and Administrators Policy voted to PERMIT .
> Admin Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
> Granted Scopes: Admin.
> Only Owner and Administrators Policy voted to PERMIT .
> Peek Entity Resource Permission decision was PERMIT by AFFIRMATIVE
> decision. Granted Scopes: Peek.
> Peek resource role policy voted to PERMIT .
> Only Owner and Administrators Policy voted to PERMIT .
>
>
> I would expect JDoe to have full access to his resource since he is the
> owner and all the policies are reporting PERMIT. It is the top DENY that I
> can’t wrap my head around.
> The grants JDoe has given to Alice are removed from his own grants list, is
> this expected behavior? Why do grants to user Alice affect the grants of
> user JDoe?
>
> Best Regards,
>
> Ulrik
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list