[keycloak-user] Incorrect UMA Policy Evaluation

Pedro Igor Silva psilva at redhat.com
Wed Jan 2 08:22:07 EST 2019 

Hi Marco,

For user-managed resources and permissions, we are currently returning any
permission granted regardless the scopes being requested. What is causing
this unexpected response when using the "decision" permission mode.

To align the behaviour when not using UMA resources/permissions I've
changed the policy engine to only return the requested scopes, as you
pointed out.

Regarding docs, created https://issues.jboss.org/browse/KEYCLOAK-9186.

Regards.
Pedro Igor

On Thu, Dec 13, 2018 at 5:20 PM Lamina, Marco <marco.lamina at sap.com> wrote:

> I’ve used regular policies / permissions at first, but found that the way
> they are evaluated showed inconsistencies. Unfortunately, neither the
> documentation nor the community were able to give an explanation as to how
> the policy evaluation actually works. I switched to using only UMA
> policies, hoping that this would simplify things. This approach seemed to
> work fine at first, but the results are just as confusing and unpredictable
> as everything I’ve tried before.
>
> The documentation does a good job at explaining how to use Keycloak’s
> authorization services, but the evaluation engine seems to be a magic black
> box. It would be great to have a piece of documentation that explains in
> more detail how the evaluation results I see can be traced back to the
> permissions that I create in Keycloak.
>
>
> From: Geoffrey Cleaves <geoff at opticks.io>
> Date: Thursday, December 13, 2018 at 10:29 AM
> To: "Lamina, Marco" <marco.lamina at sap.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation
>
> Perhaps it's a bug introduced in the release that came out a few days ago.
> Not that many people use it, and I get the impression that not many people
> use Uma policy evaluation.
>
> On Thu, Dec 13, 2018, 18:36 Lamina, Marco <marco.lamina at sap.com<mailto:
> marco.lamina at sap.com> wrote:
> Just to be 100% certain, I created a test resource with its own resource
> type and tried again. It shows the same behavior. Keycloak’s policy
> enforcement mode is set to “enforcing”.
> I will create a ticket. However, if it ends up being a bug, wouldn’t that
> be a fairly substantial flaw in the policy evaluation engine that should be
> causing problems all over the place in Keycloak systems out there? I’m a
> bit puzzled.
>
>
> From: Geoffrey Cleaves <geoff at opticks.io<mailto:geoff at opticks.io>>
> Date: Wednesday, December 12, 2018 at 11:32 PM
> To: "Lamina, Marco" <marco.lamina at sap.com<mailto:marco.lamina at sap.com>>
> Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation
>
> Also, if you have a resource level permission which grants access, I think
> that includes all scopes, so look into that.
>
> On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff at opticks.io<mailto:
> geoff at opticks.io> wrote:
> From your description it sounds like a bug. I believe there's a setting
> where you instruct KC to enforce permissions or not and if you don't select
> enforce, the default is to grant permission. Make sure you've got the
> correct.
>
> You'll need to open a bug report on Jira with clear steps to reproduce the
> problem.
>
> On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina at sap.com<mailto:
> marco.lamina at sap.com> wrote:
> Hi,
> I’m using the protection API to manage UMA policies for my Keycloak
> resources. However, I get false-positive results when requesting
> permissions for a resource via the token endpoint.
>
> Example:
> I have a resource with ID “dataset-42” and two scopes “view” and “delete”.
> I create a UMA policy granting my user “view” access to this resource. If I
> now call the token endpoint (as suggested in [1]) to obtain permissions for
> the “delete” scope by setting:
>
> response_mode=permissions
> permission=dataset-42#delete
>
> , I get the following (confusing) result:
>
> [{
>         "scopes": ["view"],
>         "rsid": "dataset-42",
>         "rsname": "urn:atlas-api:resources:dataset:42"
>     }]
>
> When setting “response_mode=decision”, I get:
>
> {
>     "result": true
> }
>
> There is no policy that gives my user access to the “delete” scope
> anywhere, so shouldn’t I get a negative result here?
>
> Links:
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
>
> Thanks,
> Marco
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list