Hello,
I believe I found a bug in the permissions evaluation engine, and I didn't see
anything in JIRA about this. I am running Keycloak 4.3.0.Final.
I configured some permissions such that a user would have access to the read scope on one
resource, but not on another. When I evaluate permissions on each of the resources and
read scope by themselves, they are properly granted and denied, as expected. However, when
I evaluate both resources at the same time, the result is wrong, and it depends on the
order in which I add the resources. If I add the allowed resource first, then they are
both granted, but if I add the forbidden resource first, then they are both denied. What I
expected is that one is allowed and the other is denied, regardless of the order I add
them to the request.
I have verified this in the admin console and the REST and Java APIs, and it produces the
same broken result.
Unless I'm missing something, this is a critical bug that would impact our planned
usage of Keycloak.
Thank you,
Dave