10:37 a.m.
Hi.
in UMA authorization, when adding a scope Permission you can specify a
set of scopes. What a "set" means exactly is not very well documented.
By trial and error I figured out that:
1. Resource with single scope and corresponding permission with same
(single) scope works as expected.
2. Resource with single scope and permission with multiple scopes, of
which one of them is the resource scope does not work (auth not granted).
Scope set on resource to me means: this is all the things the resource
owner is allowed to do with it.
Scope set on permission to me means: apply this policies if either of
these scopes is needed. That does not seem to be the case tho, according
to point #2.
Can someone shed some light how scope set on resource resolves against
permission scope set?
Best regards, cen
11:04 a.m.
Hi,
The scope set on resource does not necessarily mean access to the
resource/scopes. Access is granted depending on the policies associated
with the permissions you have for both resources and scopes.
If you could provide more details on how to reproduce #2, I appreciate.
However, if the permission in #2 is denying access it will also be denied
for the resource scope.
On Tue, Dec 4, 2018 at 2:42 PM cen <imbacen(a)gmail.com> wrote:
Hi.
in UMA authorization, when adding a scope Permission you can specify a
set of scopes. What a "set" means exactly is not very well documented.
By trial and error I figured out that:
1. Resource with single scope and corresponding permission with same
(single) scope works as expected.
2. Resource with single scope and permission with multiple scopes, of
which one of them is the resource scope does not work (auth not granted).
Scope set on resource to me means: this is all the things the resource
owner is allowed to do with it.
Scope set on permission to me means: apply this policies if either of
these scopes is needed. That does not seem to be the case tho, according
to point #2.
Can someone shed some light how scope set on resource resolves against
permission scope set?
Best regards, cen
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:37 a.m.
Hi,
it turns out I missed that another resource was selected in the
permission (Resource field which narrows the scopes available), and it
was not the endpoint being accessed.
Number of scopes had nothing to do with it and works as intended (it
applies the same policy to any of the listed scopes).
Best regards, cen
Pedro Igor Silva je 4. 12. 18 ob 18:04 napisal:
Hi,
The scope set on resource does not necessarily mean access to the
resource/scopes. Access is granted depending on the policies
associated with the permissions you have for both resources and scopes.
If you could provide more details on how to reproduce #2, I
appreciate. However, if the permission in #2 is denying access it will
also be denied for the resource scope.
On Tue, Dec 4, 2018 at 2:42 PM cen <imbacen(a)gmail.com
<mailto:imbacen@gmail.com>> wrote:
Hi.
in UMA authorization, when adding a scope Permission you can
specify a
set of scopes. What a "set" means exactly is not very well
documented.
By trial and error I figured out that:
1. Resource with single scope and corresponding permission with same
(single) scope works as expected.
2. Resource with single scope and permission with multiple scopes, of
which one of them is the resource scope does not work (auth not
granted).
Scope set on resource to me means: this is all the things the
resource
owner is allowed to do with it.
Scope set on permission to me means: apply this policies if either of
these scopes is needed. That does not seem to be the case tho,
according
to point #2.
Can someone shed some light how scope set on resource resolves
against
permission scope set?
Best regards, cen
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
2199
days inactive
2200
days old
2 comments
2 participants
participants (2)
-
cen -
Pedro Igor Silva