Re: [keycloak-user] Incorrect UMA Policy Evaluation
From your description it sounds like a bug. I believe there's a
setting
where you instruct KC to enforce permissions or not and if you don't
select
enforce, the default is to grant permission. Make sure you've got the
correct.
You'll need to open a bug report on Jira with clear steps to reproduce the
problem.
On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina(a)sap.com wrote:
Hi,
I’m using the protection API to manage UMA policies for my Keycloak
resources. However, I get false-positive results when requesting
permissions for a resource via the token endpoint.
Example:
I have a resource with ID “dataset-42” and two scopes “view” and “delete”.
I create a UMA policy granting my user “view” access to this resource. If I
now call the token endpoint (as suggested in [1]) to obtain permissions for
the “delete” scope by setting:
response_mode=permissions
permission=dataset-42#delete
, I get the following (confusing) result:
[{
"scopes": ["view"],
"rsid": "dataset-42",
"rsname": "urn:atlas-api:resources:dataset:42"
}]
When setting “response_mode=decision”, I get:
{
"result": true
}
There is no policy that gives my user access to the “delete” scope
anywhere, so shouldn’t I get a negative result here?
Links:
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
Thanks,
Marco
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user