Ticket:
https://issues.jboss.org/browse/KEYCLOAK-9093
From: Geoffrey Cleaves <geoff(a)opticks.io>
Date: Wednesday, December 12, 2018 at 11:32 PM
To: "Lamina, Marco" <marco.lamina(a)sap.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation
Also, if you have a resource level permission which grants access, I think that includes
all scopes, so look into that.
On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves
<geoff@opticks.io<mailto:geoff@opticks.io> wrote:
From your description it sounds like a bug. I believe there's a setting where you
instruct KC to enforce permissions or not and if you don't select enforce, the default
is to grant permission. Make sure you've got the correct.
You'll need to open a bug report on Jira with clear steps to reproduce the problem.
On Thu, Dec 13, 2018, 01:26 Lamina, Marco
<marco.lamina@sap.com<mailto:marco.lamina@sap.com> wrote:
Hi,
I’m using the protection API to manage UMA policies for my Keycloak resources. However, I
get false-positive results when requesting permissions for a resource via the token
endpoint.
Example:
I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA
policy granting my user “view” access to this resource. If I now call the token endpoint
(as suggested in [1]) to obtain permissions for the “delete” scope by setting:
response_mode=permissions
permission=dataset-42#delete
, I get the following (confusing) result:
[{
"scopes": ["view"],
"rsid": "dataset-42",
"rsname": "urn:atlas-api:resources:dataset:42"
}]
When setting “response_mode=decision”, I get:
{
"result": true
}
There is no policy that gives my user access to the “delete” scope anywhere, so shouldn’t
I get a negative result here?
Links:
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
Thanks,
Marco
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user