[keycloak-user] shared UMA 2.0 resource & scope based policies
Marek Lindner
mareklindner at neomailbox.ch
Wed Jan 16 07:31:14 EST 2019
On Wednesday, 16 January 2019 20:13:56 HKT Pedro Igor Silva wrote:
> Thanks. I think we are on the same page then. Created
> https://issues.jboss.org/browse/KEYCLOAK-9337.
>
> Please, for now, ignore that result and consider the set of the actual
> granted permissions.
Thanks for opening that bug. However, let me point out that this issue is not
limited to the evaluation tool. The UMA policy API evaluation is affected too.
Here the call for checking permissions:
POST /auth/realms/test/protocol/openid-connect/token
grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
&permission=2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b#album:modify
&audience=photoz&response_mode=decision
returns: {"result":true}
Haven't tested RPT tickets but it is somewhat reasonable to assume those
are affected too. Looks like the policy logic is fine with any scope shared
to grant permission for all scopes.
Regards,
Marek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190116/360b7a1b/attachment.bin
More information about the keycloak-user
mailing list