Re: [keycloak-dev] [authz] All permissions must pass?
The evaluator can't be different than what is returned in the
RPT,otherwise, what is the point of the evaluator?
On 4/1/17 2:19 PM, Pedro Igor Silva wrote:
The evaluator may give you this output. But what about the
permissions
you got in the token (that 'Show Authorization Data` link on top of
the result page) ? If you got PERMIT for a scope you should see it in
the token.
On Sat, Apr 1, 2017 at 1:20 PM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
So all permissions must pass when evaluating a resource/scope
authorization? Just did some testing in admin console. I have 2
permissions. I used the policy evaluator for a resource/scope combo.
One permission passes, the other fails. Evaluator result is DENY:
Result
*DENY*
Scopes
No scopes available.
Policies
# *map.role.permission.realm-management.manage-authorization
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13...
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13...
was*PERMIT*by*UNANIMOUS*decision.
* *role.policy.realm-managementmanage-users
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13...
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13...
to*PERMIT*.
* *role.policy.realm-managementmanage-authorization
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13...
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13...
to*PERMIT*.
# *role-mapper-permission
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13...
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13...
was*DENY*by*UNANIMOUS*decision.
* *role-mapper
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13...
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13...
to*DENY*.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>