Also, if you have a resource level permission which grants access, I think
that includes all scopes, so look into that.
On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff(a)opticks.io wrote:
From your description it sounds like a bug. I believe there's a
setting
where you instruct KC to enforce permissions or not and if you don't select
enforce, the default is to grant permission. Make sure you've got the
correct.
You'll need to open a bug report on Jira with clear steps to reproduce the
problem.
On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina(a)sap.com wrote:
> Hi,
> I’m using the protection API to manage UMA policies for my Keycloak
> resources. However, I get false-positive results when requesting
> permissions for a resource via the token endpoint.
>
> Example:
> I have a resource with ID “dataset-42” and two scopes “view” and
> “delete”. I create a UMA policy granting my user “view” access to this
> resource. If I now call the token endpoint (as suggested in [1]) to obtain
> permissions for the “delete” scope by setting:
>
> response_mode=permissions
> permission=dataset-42#delete
>
> , I get the following (confusing) result:
>
> [{
> "scopes": ["view"],
> "rsid": "dataset-42",
> "rsname": "urn:atlas-api:resources:dataset:42"
> }]
>
> When setting “response_mode=decision”, I get:
>
> {
> "result": true
> }
>
> There is no policy that gives my user access to the “delete” scope
> anywhere, so shouldn’t I get a negative result here?
>
> Links:
> [1]
>
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
>
> Thanks,
> Marco
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user