9:16 p.m.
I have a resource and a few scopes associated with the resource.
Both the resource and the scope have permissions associated with them.
It seems logical that if one of the resource permissions resolves to DENY,
the whole resource is denied for the user.
But why the same happens with scope permissions?
As I understood from the docuemntation, scopes are verbs that can act upon
a resource. So if an user isn't authorized to perform one of the verbs (one
of the scopes), the user still should have access to the resource itself,
if the resource permissions allow, but it doesn't to seem to work this way.
I expected to automaticlaly block users that are not authorized for the
resource. With the rest users I expected to check each scope
programmatically for avaiability of corresponding actions (resource:view,
resource:edit, etc).
I used the "hello-world-authz-service" example (Keycloak server
configuration and the application code) with a few changes (added scopes)
to check it. Didn't work - access denied if one of the scope permissions
fails.
10:41 p.m.
Looks I've clarified the problem:
A resource with scopes won't be permitted if there are no permitted scopes.
This is a strange behavior - if there are no permitted scopes, the resource
should still be available, it just doesn't have any additional actions
(scopes) permitted.
In support, if you take a resource without scopes, the resource is
available (given all resource permissions are permitted). But following the
current logic Keycloak handles scopes, the resource shouldn't be available
then, since there are no available scopes.
Now, the only solution is to create a dummy scope and always assign it to
resources, so that they don't get blocked when no other scopes are
available.
I think, this behavior should be changed.
What do you think?
2:54 p.m.
Good morning, I'm not sure if I follow you on this, but if
you look at OIDC spec[1], scope is required. Plus, there's
some explanation here[2].
I hope it helps.
[1] - http://openid.net/specs/openid-connect-core-1_0.html
[2] -
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/ro...
On 2016-07-04, Artem Voskoboynick wrote:
Looks I've clarified the problem:
A resource with scopes won't be permitted if there are no permitted scopes.
This is a strange behavior - if there are no permitted scopes, the resource
should still be available, it just doesn't have any additional actions
(scopes) permitted.
In support, if you take a resource without scopes, the resource is
available (given all resource permissions are permitted). But following the
current logic Keycloak handles scopes, the resource shouldn't be available
then, since there are no available scopes.
Now, the only solution is to create a dummy scope and always assign it to
resources, so that they don't get blocked when no other scopes are
available.
I think, this behavior should be changed.
What do you think?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
PGP: 0x84DC9914
2855
days inactive
2859
days old
2 comments
2 participants
participants (2)
-
Artem Voskoboynick -
Bruno Oliveira