Re: [keycloak-user] shared UMA 2.0 resource & scope based policies
Now I see. The result is giving a false-positive but the set of granted
permissions should be correct.
To check that, could you click "Show Authorization Data" link on the top of
the result page and see how the permissions look like in the generated
token? You should see:
"authorization": {
"permissions": [
{
"scopes": [
"album:view"
],
"rsid": "7e1ae12b-e733-4090-9f84-8242f9192288",
"rsname": "Amazing sunsets"
}
]
},
On Wed, Jan 16, 2019 at 9:51 AM Marek Lindner <mareklindner(a)neomailbox.ch>
wrote:
On Wednesday, 16 January 2019 19:38:45 HKT Pedro Igor Silva wrote:
> Here it is.
Thanks! The difference between your evaluation test and mine appears to be
that you tested the shared scope.
To summarize:
a) Alice does allow Bob to perform album:view.
b) Alice does not allow Bob to perform album:modify.
When Bob tries to access album:view I'd expect PERMIT whereas when
album:modify is attempted DENY should be the result. Do we agree ?
I attached screenshots for both evaluation attempts. Both (view and
modify)
yield PERMIT. That should not be the case or am I missing something ?
Regards,
Marek