[keycloak-user] shared UMA 2.0 resource & scope based policies
Pedro Igor Silva
psilva at redhat.com
Wed Jan 16 07:37:18 EST 2019
Now you are talking about https://github.com/keycloak/keycloak/pull/5833.
Which is related to the "decision" response mode returning a
false-positive. However, both RPT and "permissions" response mode returns
the correct permissions.
On Wed, Jan 16, 2019 at 10:31 AM Marek Lindner <mareklindner at neomailbox.ch>
wrote:
> On Wednesday, 16 January 2019 20:13:56 HKT Pedro Igor Silva wrote:
> > Thanks. I think we are on the same page then. Created
> > https://issues.jboss.org/browse/KEYCLOAK-9337.
> >
> > Please, for now, ignore that result and consider the set of the actual
> > granted permissions.
>
> Thanks for opening that bug. However, let me point out that this issue is
> not
> limited to the evaluation tool. The UMA policy API evaluation is affected
> too.
> Here the call for checking permissions:
>
> POST /auth/realms/test/protocol/openid-connect/token
> grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
> &permission=2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b#album:modify
> &audience=photoz&response_mode=decision
>
> returns: {"result":true}
>
> Haven't tested RPT tickets but it is somewhat reasonable to assume those
> are affected too. Looks like the policy logic is fine with any scope shared
> to grant permission for all scopes.
>
> Regards,
> Marek
>
More information about the keycloak-user
mailing list