[keycloak-user] Unable to understand authorization/get it to work

[Ushanas Shastri]

Hello,


This is my first post on this mailing list, and I've been evaluating Keycloak for a couple of days.


I've been unable to get Authorization to work the way I thought it should. Maybe I've not understood it right, and could do with some help. I am using the builtin Evaluation tool to check.


Here's my scenario:


I have a web based application, where we have typical CRUD operations being performed.


For e.g. the application maintains a list of Source from which we  expect to receive data. Users have the ability to add, edit, view or delete a Source, provided the Sources belong to their Business Unit. Here's what I did in Keycloak.


- Created Source as a resource, with the 4 actions as scopes (add, edit, view and delete).

- Added a Role based Policy to a role called "ViewOnly"

- The ViewOnly role is mapped to users.

- Created a Scope based permission, where View is the only scope on the resource, attached to the ViewOnly policy.



Now, when I use the evaluation tool for scope "View", I get a permit, which is as expected.


I then check the evaluation tool for scope "Delete",  I get a a message "Could not obtain any result for the given authorization request. Check if the provided resource(s) or scope(s) are associated with any policy."  Is this as expected? Isn't this supposed to return a Deny since the Policy Enforcement Mode on the realm  is "Enforcing". Is this just a UI message, indicating the same as a Deny?


Now, I add Delete as a scope to the same permission, and check on Delete scope in the evaluation tool, but I continue to get the same message as above. Shouldn't I be receiving a PERMIT now, as the same permission was modified to include the Delete Scope?


The summary is that if I have more than one scope added to the permission, the evaluation tool returns this message. If I have only one scope in a policy, it works for me.


What am I missing?


Regards, Ushanas.



This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160730/a27473c2/attachment.html