[keycloak-user] Incorrect UMA Policy Evaluation

Lamina, Marco marco.lamina at sap.com
Wed Jan 2 15:39:25 EST 2019 

Awesome, thanks Pedro!


From: Pedro Igor Silva <psilva at redhat.com>
Date: Wednesday, January 2, 2019 at 5:23 AM
To: "Lamina, Marco" <marco.lamina at sap.com>
Cc: Geoffrey Cleaves <geoff at opticks.io>, keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation

Hi Marco,

For user-managed resources and permissions, we are currently returning any permission granted regardless the scopes being requested. What is causing this unexpected response when using the "decision" permission mode.

To align the behaviour when not using UMA resources/permissions I've changed the policy engine to only return the requested scopes, as you pointed out.

Regarding docs, created https://issues.jboss.org/browse/KEYCLOAK-9186.

Regards.
Pedro Igor

On Thu, Dec 13, 2018 at 5:20 PM Lamina, Marco <marco.lamina at sap.com<mailto:marco.lamina at sap.com>> wrote:
I’ve used regular policies / permissions at first, but found that the way they are evaluated showed inconsistencies. Unfortunately, neither the documentation nor the community were able to give an explanation as to how the policy evaluation actually works. I switched to using only UMA policies, hoping that this would simplify things. This approach seemed to work fine at first, but the results are just as confusing and unpredictable as everything I’ve tried before.

The documentation does a good job at explaining how to use Keycloak’s authorization services, but the evaluation engine seems to be a magic black box. It would be great to have a piece of documentation that explains in more detail how the evaluation results I see can be traced back to the permissions that I create in Keycloak.


From: Geoffrey Cleaves <geoff at opticks.io<mailto:geoff at opticks.io>>
Date: Thursday, December 13, 2018 at 10:29 AM
To: "Lamina, Marco" <marco.lamina at sap.com<mailto:marco.lamina at sap.com>>
Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation

Perhaps it's a bug introduced in the release that came out a few days ago. Not that many people use it, and I get the impression that not many people use Uma policy evaluation.

On Thu, Dec 13, 2018, 18:36 Lamina, Marco <marco.lamina at sap.com<mailto:marco.lamina at sap.com><mailto:marco.lamina at sap.com<mailto:marco.lamina at sap.com>> wrote:
Just to be 100% certain, I created a test resource with its own resource type and tried again. It shows the same behavior. Keycloak’s policy enforcement mode is set to “enforcing”.
I will create a ticket. However, if it ends up being a bug, wouldn’t that be a fairly substantial flaw in the policy evaluation engine that should be causing problems all over the place in Keycloak systems out there? I’m a bit puzzled.


From: Geoffrey Cleaves <geoff at opticks.io<mailto:geoff at opticks.io><mailto:geoff at opticks.io<mailto:geoff at opticks.io>>>
Date: Wednesday, December 12, 2018 at 11:32 PM
To: "Lamina, Marco" <marco.lamina at sap.com<mailto:marco.lamina at sap.com><mailto:marco.lamina at sap.com<mailto:marco.lamina at sap.com>>>
Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>
Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation

Also, if you have a resource level permission which grants access, I think that includes all scopes, so look into that.

On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff at opticks.io<mailto:geoff at opticks.io><mailto:geoff at opticks.io<mailto:geoff at opticks.io>> wrote:
From your description it sounds like a bug. I believe there's a setting where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct.

You'll need to open a bug report on Jira with clear steps to reproduce the problem.

On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina at sap.com<mailto:marco.lamina at sap.com><mailto:marco.lamina at sap.com<mailto:marco.lamina at sap.com>> wrote:
Hi,
I’m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint.

Example:
I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA policy granting my user “view” access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the “delete” scope by setting:

response_mode=permissions
permission=dataset-42#delete

, I get the following (confusing) result:

[{
        "scopes": ["view"],
        "rsid": "dataset-42",
        "rsname": "urn:atlas-api:resources:dataset:42"
    }]

When setting “response_mode=decision”, I get:

{
    "result": true
}

There is no policy that gives my user access to the “delete” scope anywhere, so shouldn’t I get a negative result here?

Links:
[1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions

Thanks,
Marco

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list