The permission to my resources is not given using the UMA flow, but by policies and
permissions that I defined manually.
For example, I have a resource-type-based permission that combines two policies with the
“affirmative” strategy:
1. “User is resource owner” – JS-based policy
2. “User is admin” – role-based policy
My assumption was that this will grant full access to any resources of that type if a user
is either its owner or is assigned the ‘admin’ role. Using the evaluation tool, I can
verify that admins have permission to access any resource of that type with any scope. But
still, these resources do not show up in the permissions list I receive from the token
endpoint.
For context: I need this type of request to query my database for all objects that a given
token has access to. Maybe I’m going about this the wrong way? Would love to hear your
suggestions!
From: Pedro Igor Silva <psilva(a)redhat.com>
Date: Wednesday, November 14, 2018 at 4:04 AM
To: "Lamina, Marco" <marco.lamina(a)sap.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining
permissions
When asking for *all* permissions a user has, the policy evaluation engine resolves the
resources as follows:
1) Get all resources owned by the user
2) Get all resources owned by the resource server
3) Get all resources granted by another user to the user based on UMA and permission
tickets.
NOTE: when doing an "all" request we don't fetch all resources managed by
the server.
If you are not getting the resources owned by other users is probably because they were
not granted based on permission tickets (UMA flow). I would suggest you to get the id for
one of these resources and send an authorization request using the resource id to see what
you get.
Regards.
Pedro Igor
On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco
<marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote:
Hi,
I am trying to use Keycloak’s token endpoint to obtain a list of all resources and the
respective scopes that a user has permission to access. However, the behavior I am
observing does not match what is described in the documentation (Link [1]). I am using the
token endpoint as shown in Link [2].
Expected behavior:
Token endpoint returns a list of all resources and scopes that the token’s user has
permission to access.
Observed behavior:
Token endpoint only returns resources that are owned by either the token’s user or the
resource server itself. Resources owned by other users are not listed, even though the
token’s user has permission to access them.
Is that a bug or expected behavior?
Links:
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
[2]
https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&a...
Thanks,
Marco
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user