Hi Gary,
This is not the expected behavior. When obtaining all permissions (no
permission/ticket parameter set) the server will match resources
accordingly to:
* Resources where the owner is the *resource server* itself
* Resources where the owner is the *user* represented by the access/ID
token you sent as a bearer to the token endpoint
* Resources where the *user* was granted with access through async
authorization based on UMA flow (owner have approved access via account
service, for instance)
Does the resources you are expecting match any of these conditions ?
Regards.
Pedro Igor
On Mon, Aug 27, 2018 at 2:30 PM, Gary Schulte <gary.schulte(a)opengov.com>
wrote:
I encountered this late last week and created a JIRA for it, but in
retrospect I should probably have brought it up on the list as well.
https://issues.jboss.org/browse/KEYCLOAK-8134
briefly, for a uma 2.0 managed realm, I am seeing inconsistent behavior
when getting an RPT. When I request an RPT for the uma grant type
(urn:ietf:params:oauth:grant-type:uma-ticket) the policy/permissions are
not evaluated unless I specify some combination of resources/scopes for the
permission parameter(s).
I was expecting an unfiltered RPT to come back with permissions that are
specifically granted by policy as well as those granted by UMA2. As it is,
I have worked around it by specifying all of the "scope permissions's"
scopes (without resources) in the permission params. e.g.
...&permission=#edit&permission=#view&permission=#owner
I am encountering this on 4.1.0.Final and it appears to be present in
latest (4.3.0.Final)
Is this expected behavior?
--
Gary Schulte I Software Engineer
OpenGov
505-750-4279
gary.schulte(a)opengov.com
www.opengov.com
Silicon Valley
<
https://www.google.com/maps/place/OpenGov+Inc/@37.4859652,
-122.2121292,15z/data=!4m2!3m1!1s0x0:0xb84d4c3f06ecd893>
| Washington DC
<
https://www.google.com/maps/place/1875+Connecticut+Ave+NW,
+Washington,+DC+20009/(a)38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!
1s0x89b7b7cf85e25661:0x932fc62149d9247f>
<
https://www.google.com/maps/place/1875+Connecticut+Ave+NW,
+Washington,+DC+20009/(a)38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!
1s0x89b7b7cf85e25661:0x932fc62149d9247f>
<
https://www.linkedin.com/company/opengov-inc>
<
https://www.facebook.com/opengovinc>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev