[keycloak-user] Keycloak is granting broader authorization entitlements to scopes on resources than specified

KLIMPFINGER Koloman Koloman.KLIMPFINGER at frequentis.com
Thu Mar 9 09:58:24 EST 2017 

Hi keycloak users!

I've a question about using scope and resource permissions to protect my resources.
To me it seems that keycloak is granting broader authorization entitlements than I specified it with the policies & permissions - a security issue from my point of view.
For example keycloak - according to the entitlement token of a user - grants access to a resource and ALL its scopes, even if I only specified a permission to access only ONE  scope on that resource for that user (with a policy).
Is It wrong to assume that the user should only have access to the one scope?
Another issue is that keycloak grants access to a resource and ALL its scopes, even if I only specified a permission to access only that resource for that user (with a policy) without a scope.
Is the assumption wrong that the user should only know about the resource but not the scopes?

Or is my understanding of how to handle the authorization entitlements for resources and their scopes with keycloak wrong?
What would be the best practice to secure the resources and their scopes?


Here I describe the scenario & point to a live example:

_ The scenario _

Created Entities:
User:                     Marta
Policy:                   Policy-IsUser-Marta
Scopes:                                read, write, execute
Resource:            resource-a (with all three scopes)
Resource:            resource-c (with all three scopes)
Resource-Permission:    resource-c -> Policy-IsUser-Marta
Scope-Permission:          resource-a + scope read -> Policy-IsUser-Marta

Retrieve entitlements:
Get your (Martas) entitlements token and check the granted permissions - they are:

-          resource-a -> read +  write + execute

-          resource-c -> read +  write + execute

What I would expect:

-          resource-a -> read

-          resource-c -> (no scopes)

_ Sample Project _
I created a sample to see it live in action:
https://github.com/kklimpfi/keycloak-scenarios

It contains a keycloak-migration.json with some sample data (in master realm) + an java application that retrieves the Permissions.
you can clone it and try it (configure setup script for importing and pass the system property for the java application to its configuration).
(Using Keycloak-2.5.4.Final standalone on Windows 7, should also work on Linux)

kind regards,
Koloman

More information about the keycloak-user mailing list