Re: [keycloak-user] Incorrect UMA Policy Evaluation

Just to be 100% certain, I created a test resource with its own resource type and tried again. It shows the same behavior. Keycloak’s policy enforcement mode is set to “enforcing”. I will create a ticket. However, if it ends up being a bug, wouldn’t that be a fairly substantial flaw in the policy evaluation engine that should be causing problems all over the place in Keycloak systems out there? I’m a bit puzzled. *From: *Geoffrey Cleaves <geoff(a)opticks.io&gt; *Date: *Wednesday, December 12, 2018 at 11:32 PM *To: *"Lamina, Marco" <marco.lamina(a)sap.com&gt; *Cc: *keycloak-user <keycloak-user(a)lists.jboss.org&gt; *Subject: *Re: [keycloak-user] Incorrect UMA Policy Evaluation Also, if you have a resource level permission which grants access, I think that includes all scopes, so look into that. On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff(a)opticks.io wrote: From your description it sounds like a bug. I believe there's a setting where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct. You'll need to open a bug report on Jira with clear steps to reproduce the problem. On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina(a)sap.com wrote: Hi, I’m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint. Example: I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA policy granting my user “view” access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the “delete” scope by setting: response_mode=permissions permission=dataset-42#delete , I get the following (confusing) result: [{ "scopes": ["view"], "rsid": "dataset-42", "rsname": "urn:atlas-api:resources:dataset:42" }] When setting “response_mode=decision”, I get: { "result": true } There is no policy that gives my user access to the “delete” scope anywhere, so shouldn’t I get a negative result here? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user