[keycloak-dev] UMA2.0 & Policy permission evaluations for RPTs

I encountered this late last week and created a JIRA for it, but in retrospect I should probably have brought it up on the list as well. https://issues.jboss.org/browse/KEYCLOAK-8134 briefly, for a uma 2.0 managed realm, I am seeing inconsistent behavior when getting an RPT. When I request an RPT for the uma grant type (urn:ietf:params:oauth:grant-type:uma-ticket) the policy/permissions are not evaluated unless I specify some combination of resources/scopes for the permission parameter(s). I was expecting an unfiltered RPT to come back with permissions that are specifically granted by policy as well as those granted by UMA2. As it is, I have worked around it by specifying all of the "scope permissions's" scopes (without resources) in the permission params. e.g. ...&permission=#edit&permission=#view&permission=#owner I am encountering this on 4.1.0.Final and it appears to be present in latest (4.3.0.Final) Is this expected behavior? -- Gary Schulte I Software Engineer OpenGov 505-750-4279 gary.schulte(a)opengov.com www.opengov.com Silicon Valley <https://www.google.com/maps/place/OpenGov+Inc/@37.4859652,-122.2121292,15... | Washington DC <https://www.google.com/maps/place/1875+Connecticut+Ave+NW,+Washington,+DC... <https://www.google.com/maps/place/1875+Connecticut+Ave+NW,+Washington,+DC... <https://www.linkedin.com/company/opengov-inc> <https://www.facebook.com/opengovinc>