[keycloak-dev] [authz] All permissions must pass?

Bill Burke bburke at redhat.com
Sat Apr 1 15:20:33 EDT 2017 

The evaluator can't be different than what is returned in the 
RPT,otherwise, what is the point of the evaluator?


On 4/1/17 2:19 PM, Pedro Igor Silva wrote:
> The evaluator may give you this output. But what about the permissions 
> you got in the token (that 'Show Authorization Data` link on top of 
> the result page) ? If you got PERMIT for a scope you should see it in 
> the token.
>
> On Sat, Apr 1, 2017 at 1:20 PM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     So all permissions must pass when evaluating a resource/scope
>     authorization?  Just did some testing in admin console.  I have 2
>     permissions.  I used the policy evaluator for a resource/scope combo.
>     One permission passes, the other fails.  Evaluator result is DENY:
>
>
>     Result
>     *DENY*
>     Scopes
>     No scopes available.
>     Policies
>     # *map.role.permission.realm-management.manage-authorization
>     <http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/permission/scope/776b79cf-57e2-4b55-b9e5-84195c89fd7a
>     <http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/permission/scope/776b79cf-57e2-4b55-b9e5-84195c89fd7a>>*decision
>     was*PERMIT*by*UNANIMOUS*decision.
>
>       * *role.policy.realm-managementmanage-users
>        
>     <http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/policy/role/29968cd1-f44e-47db-868d-c7bd61b827dd
>     <http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/policy/role/29968cd1-f44e-47db-868d-c7bd61b827dd>>*voted
>         to*PERMIT*.
>       * *role.policy.realm-managementmanage-authorization
>        
>     <http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/policy/role/c4da0818-432a-41d2-94a8-0fc08051a609
>     <http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/policy/role/c4da0818-432a-41d2-94a8-0fc08051a609>>*voted
>         to*PERMIT*.
>
>     # *role-mapper-permission
>     <http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/permission/scope/e8acb66c-fe1f-4310-946a-fbb638449e77
>     <http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/permission/scope/e8acb66c-fe1f-4310-946a-fbb638449e77>>*decision
>     was*DENY*by*UNANIMOUS*decision.
>
>       * *role-mapper
>        
>     <http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/policy/role/41b7d1fe-c40f-4437-93d2-aa5768227fd4
>     <http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/policy/role/41b7d1fe-c40f-4437-93d2-aa5768227fd4>>*voted
>         to*DENY*.
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>

More information about the keycloak-dev mailing list