+1. However, that issue that was fixed only impact scope-based permissions. On Wed, Nov 14, 2018 at 5:34 AM Geoffrey Cleaves <geoff(a)opticks.io&gt; wrote:

The permission to my resources is not given using the UMA flow, but by policies and permissions that I defined manually. For example, I have a resource-type-based permission that combines two policies with the “affirmative” strategy: 1. “User is resource owner” – JS-based policy 2. “User is admin” – role-based policy My assumption was that this will grant full access to any resources of that type if a user is either its owner or is assigned the ‘admin’ role. Using the evaluation tool, I can verify that admins have permission to access any resource of that type with any scope. But still, these resources do not show up in the permissions list I receive from the token endpoint. For context: I need this type of request to query my database for all objects that a given token has access to. Maybe I’m going about this the wrong way? Would love to hear your suggestions! From: Pedro Igor Silva <psilva(a)redhat.com&gt; Date: Wednesday, November 14, 2018 at 4:04 AM To: "Lamina, Marco" <marco.lamina(a)sap.com&gt; Cc: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions When asking for *all* permissions a user has, the policy evaluation engine resolves the resources as follows: 1) Get all resources owned by the user 2) Get all resources owned by the resource server 3) Get all resources granted by another user to the user based on UMA and permission tickets. NOTE: when doing an "all" request we don't fetch all resources managed by the server. If you are not getting the resources owned by other users is probably because they were not granted based on permission tickets (UMA flow). I would suggest you to get the id for one of these resources and send an authorization request using the resource id to see what you get. Regards. Pedro Igor On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote: Hi, I am trying to use Keycloak’s token endpoint to obtain a list of all resources and the respective scopes that a user has permission to access. However, the behavior I am observing does not match what is described in the documentation (Link [1]). I am using the token endpoint as shown in Link [2]. Expected behavior: Token endpoint returns a list of all resources and scopes that the token’s user has permission to access. Observed behavior: Token endpoint only returns resources that are owned by either the token’s user or the resource server itself. Resources owned by other users are not listed, even though the token’s user has permission to access them. Is that a bug or expected behavior? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... [2] https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&a... Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Correct, in this particular case that might be true. However, in the future there will be a more complex scenario with different types of permissions and users involved. For now I am using the following workaround to implement my use case on the resource server: 1. Request a PAT token from Keycloak 2. List all resources of a certain type via {keycloak}/auth/realms/${realm_name}/authz/protection/resource_set?type={type} 3. Send a permissions request to the token endpoint with a permission={resource_id}#{my_scope} item for every resource ID from 2), using the user’s access token in the header 4. The resulting list contains all resources a user can access with a given scope This gives me the correct result, but doesn’t scale well if I end up having a lot of resources. From: Pedro Igor Silva <psilva(a)redhat.com&gt; Date: Wednesday, November 14, 2018 at 12:35 PM To: "Lamina, Marco" <marco.lamina(a)sap.com&gt; Cc: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions I see. As I mentioned before, the specific resource (owned by a different user) is not processed by the policy evaluation engine. For this particular case, if the user is granted with the typed resource you could just assume that she/he can fetch any resource from the database with the same logical type, right ? On Wed, Nov 14, 2018 at 4:44 PM Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote: The permission to my resources is not given using the UMA flow, but by policies and permissions that I defined manually. For example, I have a resource-type-based permission that combines two policies with the “affirmative” strategy: 1. “User is resource owner” – JS-based policy 2. “User is admin” – role-based policy My assumption was that this will grant full access to any resources of that type if a user is either its owner or is assigned the ‘admin’ role. Using the evaluation tool, I can verify that admins have permission to access any resource of that type with any scope. But still, these resources do not show up in the permissions list I receive from the token endpoint. For context: I need this type of request to query my database for all objects that a given token has access to. Maybe I’m going about this the wrong way? Would love to hear your suggestions! From: Pedro Igor Silva <psilva@redhat.com<mailto:psilva@redhat.com>> Date: Wednesday, November 14, 2018 at 4:04 AM To: "Lamina, Marco" <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> Cc: keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions When asking for *all* permissions a user has, the policy evaluation engine resolves the resources as follows: 1) Get all resources owned by the user 2) Get all resources owned by the resource server 3) Get all resources granted by another user to the user based on UMA and permission tickets. NOTE: when doing an "all" request we don't fetch all resources managed by the server. If you are not getting the resources owned by other users is probably because they were not granted based on permission tickets (UMA flow). I would suggest you to get the id for one of these resources and send an authorization request using the resource id to see what you get. Regards. Pedro Igor On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote: Hi, I am trying to use Keycloak’s token endpoint to obtain a list of all resources and the respective scopes that a user has permission to access. However, the behavior I am observing does not match what is described in the documentation (Link [1]). I am using the token endpoint as shown in Link [2]. Expected behavior: Token endpoint returns a list of all resources and scopes that the token’s user has permission to access. Observed behavior: Token endpoint only returns resources that are owned by either the token’s user or the resource server itself. Resources owned by other users are not listed, even though the token’s user has permission to access them. Is that a bug or expected behavior? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... [2] https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&a... Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

I looked at push claims and I like the idea, but I wasn’t able to come up with a scenario that would support my use case. From: Pedro Igor Silva <psilva(a)redhat.com&gt; Date: Wednesday, November 14, 2018 at 1:41 PM To: "Lamina, Marco" <marco.lamina(a)sap.com&gt; Cc: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions I mentioned a possible solution in another thread which was about data filtering. What if you push back claims from your policies where these claims represent conditions that should be added to your query. See http://lists.jboss.org/pipermail/keycloak-user/2018-November/016213.html. Regards. Pedro Igor On Wed, Nov 14, 2018 at 6:56 PM Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote: Correct, in this particular case that might be true. However, in the future there will be a more complex scenario with different types of permissions and users involved. For now I am using the following workaround to implement my use case on the resource server: 1. Request a PAT token from Keycloak 2. List all resources of a certain type via {keycloak}/auth/realms/${realm_name}/authz/protection/resource_set?type={type} 3. Send a permissions request to the token endpoint with a permission={resource_id}#{my_scope} item for every resource ID from 2), using the user’s access token in the header 4. The resulting list contains all resources a user can access with a given scope This gives me the correct result, but doesn’t scale well if I end up having a lot of resources. From: Pedro Igor Silva <psilva@redhat.com<mailto:psilva@redhat.com>> Date: Wednesday, November 14, 2018 at 12:35 PM To: "Lamina, Marco" <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> Cc: keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions I see. As I mentioned before, the specific resource (owned by a different user) is not processed by the policy evaluation engine. For this particular case, if the user is granted with the typed resource you could just assume that she/he can fetch any resource from the database with the same logical type, right ? On Wed, Nov 14, 2018 at 4:44 PM Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote: The permission to my resources is not given using the UMA flow, but by policies and permissions that I defined manually. For example, I have a resource-type-based permission that combines two policies with the “affirmative” strategy: 1. “User is resource owner” – JS-based policy 2. “User is admin” – role-based policy My assumption was that this will grant full access to any resources of that type if a user is either its owner or is assigned the ‘admin’ role. Using the evaluation tool, I can verify that admins have permission to access any resource of that type with any scope. But still, these resources do not show up in the permissions list I receive from the token endpoint. For context: I need this type of request to query my database for all objects that a given token has access to. Maybe I’m going about this the wrong way? Would love to hear your suggestions! From: Pedro Igor Silva <psilva@redhat.com<mailto:psilva@redhat.com>> Date: Wednesday, November 14, 2018 at 4:04 AM To: "Lamina, Marco" <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> Cc: keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions When asking for *all* permissions a user has, the policy evaluation engine resolves the resources as follows: 1) Get all resources owned by the user 2) Get all resources owned by the resource server 3) Get all resources granted by another user to the user based on UMA and permission tickets. NOTE: when doing an "all" request we don't fetch all resources managed by the server. If you are not getting the resources owned by other users is probably because they were not granted based on permission tickets (UMA flow). I would suggest you to get the id for one of these resources and send an authorization request using the resource id to see what you get. Regards. Pedro Igor On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote: Hi, I am trying to use Keycloak’s token endpoint to obtain a list of all resources and the respective scopes that a user has permission to access. However, the behavior I am observing does not match what is described in the documentation (Link [1]). I am using the token endpoint as shown in Link [2]. Expected behavior: Token endpoint returns a list of all resources and scopes that the token’s user has permission to access. Observed behavior: Token endpoint only returns resources that are owned by either the token’s user or the resource server itself. Resources owned by other users are not listed, even though the token’s user has permission to access them. Is that a bug or expected behavior? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... [2] https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&a... Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user