[keycloak-user] Conflicting scopes in permissions always gets deny, maybe this should be configurable?
Or Harary
or at myobligo.com
Fri Jan 4 11:09:20 EST 2019
Hey,
Let's say I want to allow creating custom roles with custom permission on
scopes (to allow access to multiple resource types and actions). So per
role, I wanted to create a matching permission with the allowed scopes
(resource-type-foo-create/resource-type-bar-create/etc..) and policies
accordingly (role/client/user/group).
So if I have:
Role A
Allowed: foo-create, foo-read, bar-read
Role B
Allowed: foo-read, bar-read
Because they have conflicting scopes, foo-read always gets denied. So as I
see, it can't be done this way. Maybe there should be a Decision Strategy
to permissions evaluation like in a single permission with policies?
Thanks,
Or
More information about the keycloak-user
mailing list