[keycloak-user] shared UMA 2.0 resource & scope based policies
Pedro Igor Silva
psilva at redhat.com
Wed Jan 16 06:58:30 EST 2019
Now I see. The result is giving a false-positive but the set of granted
permissions should be correct.
To check that, could you click "Show Authorization Data" link on the top of
the result page and see how the permissions look like in the generated
token? You should see:
"authorization": {
"permissions": [
{
"scopes": [
"album:view"
],
"rsid": "7e1ae12b-e733-4090-9f84-8242f9192288",
"rsname": "Amazing sunsets"
}
]
},
On Wed, Jan 16, 2019 at 9:51 AM Marek Lindner <mareklindner at neomailbox.ch>
wrote:
> On Wednesday, 16 January 2019 19:38:45 HKT Pedro Igor Silva wrote:
> > Here it is.
>
> Thanks! The difference between your evaluation test and mine appears to be
> that you tested the shared scope.
>
> To summarize:
> a) Alice does allow Bob to perform album:view.
> b) Alice does not allow Bob to perform album:modify.
>
> When Bob tries to access album:view I'd expect PERMIT whereas when
> album:modify is attempted DENY should be the result. Do we agree ?
>
> I attached screenshots for both evaluation attempts. Both (view and
> modify)
> yield PERMIT. That should not be the case or am I missing something ?
>
> Regards,
> Marek
>
>
More information about the keycloak-user
mailing list