Re: [keycloak-user] shared UMA 2.0 resource & scope based policies

On Wednesday, 16 January 2019 20:13:56 HKT Pedro Igor Silva wrote: Thanks for opening that bug. However, let me point out that this issue is not limited to the evaluation tool. The UMA policy API evaluation is affected too. Here the call for checking permissions: POST /auth/realms/test/protocol/openid-connect/token grant_type=urn:ietf:params:oauth:grant-type:uma-ticket &permission=2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b#album:modify &audience=photoz&response_mode=decision returns: {"result":true} Haven't tested RPT tickets but it is somewhat reasonable to assume those are affected too. Looks like the policy logic is fine with any scope shared to grant permission for all scopes. Regards, Marek