where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct. You'll need to open a bug report on Jira with clear steps to reproduce the problem. On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina(a)sap.com wrote:

Just to be 100% certain, I created a test resource with its own resource type and tried again. It shows the same behavior. Keycloak’s policy enforcement mode is set to “enforcing”. I will create a ticket. However, if it ends up being a bug, wouldn’t that be a fairly substantial flaw in the policy evaluation engine that should be causing problems all over the place in Keycloak systems out there? I’m a bit puzzled. From: Geoffrey Cleaves <geoff(a)opticks.io&gt; Date: Wednesday, December 12, 2018 at 11:32 PM To: "Lamina, Marco" <marco.lamina(a)sap.com&gt; Cc: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation Also, if you have a resource level permission which grants access, I think that includes all scopes, so look into that. On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff@opticks.io<mailto:geoff@opticks.io> wrote: From your description it sounds like a bug. I believe there's a setting where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct. You'll need to open a bug report on Jira with clear steps to reproduce the problem. On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com> wrote: Hi, I’m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint. Example: I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA policy granting my user “view” access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the “delete” scope by setting: response_mode=permissions permission=dataset-42#delete , I get the following (confusing) result: [{ "scopes": ["view"], "rsid": "dataset-42", "rsname": "urn:atlas-api:resources:dataset:42" }] When setting “response_mode=decision”, I get: { "result": true } There is no policy that gives my user access to the “delete” scope anywhere, so shouldn’t I get a negative result here? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

I’ve used regular policies / permissions at first, but found that the way they are evaluated showed inconsistencies. Unfortunately, neither the documentation nor the community were able to give an explanation as to how the policy evaluation actually works. I switched to using only UMA policies, hoping that this would simplify things. This approach seemed to work fine at first, but the results are just as confusing and unpredictable as everything I’ve tried before. The documentation does a good job at explaining how to use Keycloak’s authorization services, but the evaluation engine seems to be a magic black box. It would be great to have a piece of documentation that explains in more detail how the evaluation results I see can be traced back to the permissions that I create in Keycloak. From: Geoffrey Cleaves <geoff(a)opticks.io&gt; Date: Thursday, December 13, 2018 at 10:29 AM To: "Lamina, Marco" <marco.lamina(a)sap.com&gt; Cc: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation Perhaps it's a bug introduced in the release that came out a few days ago. Not that many people use it, and I get the impression that not many people use Uma policy evaluation. On Thu, Dec 13, 2018, 18:36 Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com> wrote: Just to be 100% certain, I created a test resource with its own resource type and tried again. It shows the same behavior. Keycloak’s policy enforcement mode is set to “enforcing”. I will create a ticket. However, if it ends up being a bug, wouldn’t that be a fairly substantial flaw in the policy evaluation engine that should be causing problems all over the place in Keycloak systems out there? I’m a bit puzzled. From: Geoffrey Cleaves <geoff@opticks.io<mailto:geoff@opticks.io>> Date: Wednesday, December 12, 2018 at 11:32 PM To: "Lamina, Marco" <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> Cc: keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation Also, if you have a resource level permission which grants access, I think that includes all scopes, so look into that. On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff@opticks.io<mailto:geoff@opticks.io> wrote: From your description it sounds like a bug. I believe there's a setting where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct. You'll need to open a bug report on Jira with clear steps to reproduce the problem. On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com> wrote: Hi, I’m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint. Example: I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA policy granting my user “view” access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the “delete” scope by setting: response_mode=permissions permission=dataset-42#delete , I get the following (confusing) result: [{ "scopes": ["view"], "rsid": "dataset-42", "rsname": "urn:atlas-api:resources:dataset:42" }] When setting “response_mode=decision”, I get: { "result": true } There is no policy that gives my user access to the “delete” scope anywhere, so shouldn’t I get a negative result here? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Awesome, thanks Pedro! From: Pedro Igor Silva <psilva(a)redhat.com&gt; Date: Wednesday, January 2, 2019 at 5:23 AM To: "Lamina, Marco" <marco.lamina(a)sap.com&gt; Cc: Geoffrey Cleaves <geoff(a)opticks.io&gt;, keycloak-user <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation Hi Marco, For user-managed resources and permissions, we are currently returning any permission granted regardless the scopes being requested. What is causing this unexpected response when using the "decision" permission mode. To align the behaviour when not using UMA resources/permissions I've changed the policy engine to only return the requested scopes, as you pointed out. Regarding docs, created https://issues.jboss.org/browse/KEYCLOAK-9186. Regards. Pedro Igor On Thu, Dec 13, 2018 at 5:20 PM Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote: I’ve used regular policies / permissions at first, but found that the way they are evaluated showed inconsistencies. Unfortunately, neither the documentation nor the community were able to give an explanation as to how the policy evaluation actually works. I switched to using only UMA policies, hoping that this would simplify things. This approach seemed to work fine at first, but the results are just as confusing and unpredictable as everything I’ve tried before. The documentation does a good job at explaining how to use Keycloak’s authorization services, but the evaluation engine seems to be a magic black box. It would be great to have a piece of documentation that explains in more detail how the evaluation results I see can be traced back to the permissions that I create in Keycloak. From: Geoffrey Cleaves <geoff@opticks.io<mailto:geoff@opticks.io>> Date: Thursday, December 13, 2018 at 10:29 AM To: "Lamina, Marco" <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> Cc: keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation Perhaps it's a bug introduced in the release that came out a few days ago. Not that many people use it, and I get the impression that not many people use Uma policy evaluation. On Thu, Dec 13, 2018, 18:36 Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com><mailto:marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote: Just to be 100% certain, I created a test resource with its own resource type and tried again. It shows the same behavior. Keycloak’s policy enforcement mode is set to “enforcing”. I will create a ticket. However, if it ends up being a bug, wouldn’t that be a fairly substantial flaw in the policy evaluation engine that should be causing problems all over the place in Keycloak systems out there? I’m a bit puzzled. From: Geoffrey Cleaves <geoff@opticks.io<mailto:geoff@opticks.io><mailto:geoff@opticks.io<mailto:geoff@opticks.io>>> Date: Wednesday, December 12, 2018 at 11:32 PM To: "Lamina, Marco" <marco.lamina@sap.com<mailto:marco.lamina@sap.com><mailto:marco.lamina@sap.com<mailto:marco.lamina@sap.com>>> Cc: keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>> Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation Also, if you have a resource level permission which grants access, I think that includes all scopes, so look into that. On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff@opticks.io<mailto:geoff@opticks.io><mailto:geoff@opticks.io<mailto:geoff@opticks.io>> wrote: From your description it sounds like a bug. I believe there's a setting where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct. You'll need to open a bug report on Jira with clear steps to reproduce the problem. On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com><mailto:marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote: Hi, I’m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint. Example: I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA policy granting my user “view” access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the “delete” scope by setting: response_mode=permissions permission=dataset-42#delete , I get the following (confusing) result: [{ "scopes": ["view"], "rsid": "dataset-42", "rsname": "urn:atlas-api:resources:dataset:42" }] When setting “response_mode=decision”, I get: { "result": true } There is no policy that gives my user access to the “delete” scope anywhere, so shouldn’t I get a negative result here? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user