Re: [keycloak-user] shared UMA 2.0 resource & scope based policies
Now you are talking about https://github.com/keycloak/keycloak/pull/5833.
Which is related to the "decision" response mode returning a
false-positive. However, both RPT and "permissions" response mode returns
the correct permissions.
On Wed, Jan 16, 2019 at 10:31 AM Marek Lindner <mareklindner(a)neomailbox.ch>
wrote:
On Wednesday, 16 January 2019 20:13:56 HKT Pedro Igor Silva wrote:
> Thanks. I think we are on the same page then. Created
> https://issues.jboss.org/browse/KEYCLOAK-9337.
>
> Please, for now, ignore that result and consider the set of the actual
> granted permissions.
Thanks for opening that bug. However, let me point out that this issue is
not
limited to the evaluation tool. The UMA policy API evaluation is affected
too.
Here the call for checking permissions:
POST /auth/realms/test/protocol/openid-connect/token
grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
&permission=2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b#album:modify
&audience=photoz&response_mode=decision
returns: {"result":true}
Haven't tested RPT tickets but it is somewhat reasonable to assume those
are affected too. Looks like the policy logic is fine with any scope shared
to grant permission for all scopes.
Regards,
Marek