8:52 a.m.
Hello,
This is my first post on this mailing list, and I've been evaluating Keycloak for a
couple of days.
I've been unable to get Authorization to work the way I thought it should. Maybe
I've not understood it right, and could do with some help. I am using the builtin
Evaluation tool to check.
Here's my scenario:
I have a web based application, where we have typical CRUD operations being performed.
For e.g. the application maintains a list of Source from which we expect to receive data.
Users have the ability to add, edit, view or delete a Source, provided the Sources belong
to their Business Unit. Here's what I did in Keycloak.
- Created Source as a resource, with the 4 actions as scopes (add, edit, view and
delete).
- Added a Role based Policy to a role called "ViewOnly"
- The ViewOnly role is mapped to users.
- Created a Scope based permission, where View is the only scope on the resource, attached
to the ViewOnly policy.
Now, when I use the evaluation tool for scope "View", I get a permit, which is
as expected.
I then check the evaluation tool for scope "Delete", I get a a message
"Could not obtain any result for the given authorization request. Check if the
provided resource(s) or scope(s) are associated with any policy." Is this as
expected? Isn't this supposed to return a Deny since the Policy Enforcement Mode on
the realm is "Enforcing". Is this just a UI message, indicating the same as a
Deny?
Now, I add Delete as a scope to the same permission, and check on Delete scope in the
evaluation tool, but I continue to get the same message as above. Shouldn't I be
receiving a PERMIT now, as the same permission was modified to include the Delete Scope?
The summary is that if I have more than one scope added to the permission, the evaluation
tool returns this message. If I have only one scope in a policy, it works for me.
What am I missing?
Regards, Ushanas.
This message is for the named person's use only. It may contain confidential,
proprietary or legally privileged information. No confidentiality or privilege is waived
or lost by any mis-transmission. If you receive this message in error, please immediately
delete it and all copies of it from your system, destroy any hard copies of it and notify
the sender. You must not, directly or indirectly, use, disclose, distribute, print, or
copy any part of this message if you are not the intended recipient. Viteos Capital Market
Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail
communications through its networks. Any views expressed in this message are those of the
individual sender, except where the message states otherwise and the sender is authorized
to state them to be the views of any such entity