[keycloak-user] shared UMA 2.0 resource & scope based policies
Lamina, Marco
marco.lamina at sap.com
Tue Jan 15 11:54:43 EST 2019
I've had a similar problem, it might be related to this:
https://issues.jboss.org/browse/KEYCLOAK-9093
On 1/15/19, 7:53 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Marek Lindner" <keycloak-user-bounces at lists.jboss.org on behalf of mareklindner at neomailbox.ch> wrote:
Hi,
I am working on a keycloak setup trying to replicate the photoz example. The
'test' realm is configured as follows:
* UMA enabled
* has a client 'photoz' with Authorization enabled
* 2 authorization scopes: album:view & album:modify
* each scope has a scope-based 'only owner' permission associated (Javascript)
* 2 users: alice and bob
Alice creates a new album resouce with the following request:
POST /auth/realms/test/authz/protection/resource_set
{"name": "Amazing sunsets", "owner": "alice", "ownerManagedAccess": "true",
"uri": "/albums/100", "type": "album", "resource_scopes": ["album:view",
"album:modify"]}
Simulating Bob accessing album "Amazing sunsets" using the authorization
evaluation tab, returns permission denied for both scopes (view & modify) as
expected.
Now, Alice shares "Amazing sunsets" via the account management interface but
limits the scope to 'view' by sharing 'album:view' only.
Back to evaluating Bob's access:
* Scope album:view on "Amazing sunsets" is granted (yay!).
* Scope album:modify on "Amazing sunsets" also is granted ??
Why would Bob get full access if Alice only shared album:view ? The evaluation
output even states that the granted album:view access was the reason why
access to album:modify is granted too (see attached screenshot for details).
Does anybody have a suggestion what I am missing here ?
Thanks,
Marek
More information about the keycloak-user
mailing list