[keycloak-dev] UMA2.0 & Policy permission evaluations for RPTs

Pedro Igor Silva psilva at redhat.com
Tue Aug 28 07:50:56 EDT 2018


Hi Gary,

This is not the expected behavior. When obtaining all permissions (no
permission/ticket parameter set) the server will match resources
accordingly to:

* Resources where the owner is the *resource server* itself
* Resources where the owner is the *user* represented by the access/ID
token you sent as a bearer to the token endpoint
* Resources where the *user* was granted with access through async
authorization based on UMA flow (owner have approved access via account
service, for instance)

Does the resources you are expecting match any of these conditions ?

Regards.
Pedro Igor

On Mon, Aug 27, 2018 at 2:30 PM, Gary Schulte <gary.schulte at opengov.com>
wrote:

> I encountered this late last week and created a JIRA for it, but in
> retrospect I should probably have brought it up on the list as well.
>
> https://issues.jboss.org/browse/KEYCLOAK-8134
>
> briefly, for a uma 2.0 managed realm, I am seeing inconsistent behavior
> when getting an RPT.  When I request an RPT for the uma grant type
> (urn:ietf:params:oauth:grant-type:uma-ticket) the policy/permissions are
> not evaluated unless I specify some combination of resources/scopes for the
> permission parameter(s).
>
> I was expecting an unfiltered RPT to come back with permissions that are
> specifically granted by policy as well as those granted by UMA2.  As it is,
> I have worked around it by specifying all of the "scope permissions's"
> scopes (without resources) in the permission params.  e.g.
>
>   ...&permission=#edit&permission=#view&permission=#owner
>
> I am encountering this on 4.1.0.Final and it appears to be present in
> latest (4.3.0.Final)
>
> Is this expected behavior?
>
>
> --
>
> Gary Schulte  I Software Engineer
>
> OpenGov
>
> 505-750-4279
>
> gary.schulte at opengov.com
>
> www.opengov.com
>
> Silicon Valley
> <https://www.google.com/maps/place/OpenGov+Inc/@37.4859652,
> -122.2121292,15z/data=!4m2!3m1!1s0x0:0xb84d4c3f06ecd893>
> | Washington DC
> <https://www.google.com/maps/place/1875+Connecticut+Ave+NW,
> +Washington,+DC+20009/@38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!
> 1s0x89b7b7cf85e25661:0x932fc62149d9247f>
>
> <https://www.google.com/maps/place/1875+Connecticut+Ave+NW,
> +Washington,+DC+20009/@38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!
> 1s0x89b7b7cf85e25661:0x932fc62149d9247f>
> <https://www.linkedin.com/company/opengov-inc>
> <https://www.facebook.com/opengovinc>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list