[keycloak-user] shared UMA 2.0 resource & scope based policies

[Lamina, Marco]

I've had a similar problem, it might be related to this:

https://issues.jboss.org/browse/KEYCLOAK-9093
 

On 1/15/19, 7:53 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Marek Lindner" <keycloak-user-bounces at lists.jboss.org on behalf of mareklindner at neomailbox.ch> wrote:

    Hi,
    
    I am working on a keycloak setup trying to replicate the photoz example. The 
    'test' realm is configured as follows:
    
    * UMA enabled
    * has a client 'photoz' with Authorization enabled
    * 2 authorization scopes: album:view & album:modify
    * each scope has a scope-based 'only owner' permission associated (Javascript)
    * 2 users: alice and bob
    
    Alice creates a new album resouce with the following request:
    
    POST /auth/realms/test/authz/protection/resource_set
    {"name": "Amazing sunsets", "owner": "alice", "ownerManagedAccess": "true", 
    "uri": "/albums/100", "type": "album", "resource_scopes": ["album:view", 
    "album:modify"]}
    
    Simulating Bob accessing album "Amazing sunsets" using the authorization 
    evaluation tab, returns permission denied for both scopes (view & modify) as 
    expected.
    
    Now, Alice shares "Amazing sunsets" via the account management interface but 
    limits the scope to 'view' by sharing 'album:view' only. 
    
    Back to evaluating Bob's access:
    * Scope album:view on "Amazing sunsets" is granted (yay!).
    * Scope album:modify on "Amazing sunsets" also is granted ??
    
    Why would Bob get full access if Alice only shared album:view ? The evaluation 
    output even states that the granted album:view access was the reason why 
    access to album:modify is granted too (see attached screenshot for details).  
    
    Does anybody have a suggestion what I am missing here ?
    
    Thanks,
    Marek