[keycloak-dev] UMA2.0 & Policy permission evaluations for RPTs
Gary Schulte
gary.schulte at opengov.com
Mon Aug 27 13:30:10 EDT 2018
I encountered this late last week and created a JIRA for it, but in
retrospect I should probably have brought it up on the list as well.
https://issues.jboss.org/browse/KEYCLOAK-8134
briefly, for a uma 2.0 managed realm, I am seeing inconsistent behavior
when getting an RPT. When I request an RPT for the uma grant type
(urn:ietf:params:oauth:grant-type:uma-ticket) the policy/permissions are
not evaluated unless I specify some combination of resources/scopes for the
permission parameter(s).
I was expecting an unfiltered RPT to come back with permissions that are
specifically granted by policy as well as those granted by UMA2. As it is,
I have worked around it by specifying all of the "scope permissions's"
scopes (without resources) in the permission params. e.g.
...&permission=#edit&permission=#view&permission=#owner
I am encountering this on 4.1.0.Final and it appears to be present in
latest (4.3.0.Final)
Is this expected behavior?
--
Gary Schulte I Software Engineer
OpenGov
505-750-4279
gary.schulte at opengov.com
www.opengov.com
Silicon Valley
<https://www.google.com/maps/place/OpenGov+Inc/@37.4859652,-122.2121292,15z/data=!4m2!3m1!1s0x0:0xb84d4c3f06ecd893>
| Washington DC
<https://www.google.com/maps/place/1875+Connecticut+Ave+NW,+Washington,+DC+20009/@38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!1s0x89b7b7cf85e25661:0x932fc62149d9247f>
<https://www.google.com/maps/place/1875+Connecticut+Ave+NW,+Washington,+DC+20009/@38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!1s0x89b7b7cf85e25661:0x932fc62149d9247f>
<https://www.linkedin.com/company/opengov-inc>
<https://www.facebook.com/opengovinc>
More information about the keycloak-dev
mailing list