Re: [keycloak-dev] UMA2.0 & Policy permission evaluations for RPTs

I encountered this late last week and created a JIRA for it, but in retrospect I should probably have brought it up on the list as well. https://issues.jboss.org/browse/KEYCLOAK-8134 briefly, for a uma 2.0 managed realm, I am seeing inconsistent behavior when getting an RPT. When I request an RPT for the uma grant type (urn:ietf:params:oauth:grant-type:uma-ticket) the policy/permissions are not evaluated unless I specify some combination of resources/scopes for the permission parameter(s). I was expecting an unfiltered RPT to come back with permissions that are specifically granted by policy as well as those granted by UMA2. As it is, I have worked around it by specifying all of the "scope permissions's" scopes (without resources) in the permission params. e.g. ...&permission=#edit&permission=#view&permission=#owner I am encountering this on 4.1.0.Final and it appears to be present in latest (4.3.0.Final) Is this expected behavior? -- Gary Schulte I Software Engineer OpenGov 505-750-4279 gary.schulte(a)opengov.com www.opengov.com Silicon Valley <https://www.google.com/maps/place/OpenGov+Inc/@37.4859652, -122.2121292,15z/data=!4m2!3m1!1s0x0:0xb84d4c3f06ecd893> | Washington DC <https://www.google.com/maps/place/1875+Connecticut+Ave+NW, +Washington,+DC+20009/(a)38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1! 1s0x89b7b7cf85e25661:0x932fc62149d9247f> <https://www.google.com/maps/place/1875+Connecticut+Ave+NW, +Washington,+DC+20009/(a)38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1! 1s0x89b7b7cf85e25661:0x932fc62149d9247f> <https://www.linkedin.com/company/opengov-inc> <https://www.facebook.com/opengovinc> _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev