Re: [keycloak-user] shared UMA 2.0 resource & scope based policies

On Wednesday, 16 January 2019 20:13:56 HKT Pedro Igor Silva wrote: > Thanks. I think we are on the same page then. Created > https://issues.jboss.org/browse/KEYCLOAK-9337. > > Please, for now, ignore that result and consider the set of the actual > granted permissions. Thanks for opening that bug. However, let me point out that this issue is not limited to the evaluation tool. The UMA policy API evaluation is affected too. Here the call for checking permissions: POST /auth/realms/test/protocol/openid-connect/token grant_type=urn:ietf:params:oauth:grant-type:uma-ticket &permission=2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b#album:modify &audience=photoz&response_mode=decision returns: {"result":true} Haven't tested RPT tickets but it is somewhat reasonable to assume those are affected too. Looks like the policy logic is fine with any scope shared to grant permission for all scopes. Regards, Marek _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user