Hi,
I’m using the protection API to manage UMA policies for my Keycloak resources. However, I
get false-positive results when requesting permissions for a resource via the token
endpoint.
Example:
I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA
policy granting my user “view” access to this resource. If I now call the token endpoint
(as suggested in [1]) to obtain permissions for the “delete” scope by setting:
response_mode=permissions
permission=dataset-42#delete
, I get the following (confusing) result:
[{
"scopes": ["view"],
"rsid": "dataset-42",
"rsname": "urn:atlas-api:resources:dataset:42"
}]
When setting “response_mode=decision”, I get:
{
"result": true
}
There is no policy that gives my user access to the “delete” scope anywhere, so shouldn’t
I get a negative result here?
Links:
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
Thanks,
Marco