[keycloak-user] Conflicting scopes in permissions always gets deny, maybe this should be configurable?

Or Harary or at myobligo.com
Fri Jan 4 11:09:20 EST 2019


Hey,

Let's say I want to allow creating custom roles with custom permission on
scopes (to allow access to multiple resource types and actions). So per
role, I wanted to create a matching permission with the allowed scopes
(resource-type-foo-create/resource-type-bar-create/etc..) and policies
accordingly (role/client/user/group).

So if I have:
Role A
Allowed: foo-create, foo-read, bar-read
Role B
Allowed: foo-read, bar-read

Because they have conflicting scopes, foo-read always gets denied. So as I
see, it can't be done this way. Maybe there should be a Decision Strategy
to permissions evaluation like in a single permission with policies?

Thanks,
Or


More information about the keycloak-user mailing list