[keycloak-user] Permission with multiple scopes - what does it mean exactly?

cen imbacen at gmail.com
Wed Dec 5 03:37:55 EST 2018


Hi,

it turns out I missed that another resource was selected in the 
permission (Resource field which narrows the scopes available), and it 
was not the endpoint being accessed.

Number of scopes had nothing to do with it and works as intended (it 
applies the same policy to any of the listed scopes).


Best regards, cen

Pedro Igor Silva je 4. 12. 18 ob 18:04 napisal:
> Hi,
>
> The scope set on resource does not necessarily mean access to the 
> resource/scopes. Access is granted depending on the policies 
> associated with the permissions you have for both resources and scopes.
>
> If you could provide more details on how to reproduce #2, I 
> appreciate. However, if the permission in #2 is denying access it will 
> also be denied for the resource scope.
>
> On Tue, Dec 4, 2018 at 2:42 PM cen <imbacen at gmail.com 
> <mailto:imbacen at gmail.com>> wrote:
>
>     Hi.
>
>     in UMA authorization, when adding a scope Permission you can
>     specify a
>     set of scopes. What a "set" means exactly is not very well
>     documented.
>     By trial and error I figured out that:
>
>     1. Resource with single scope and corresponding permission with same
>     (single) scope works as expected.
>
>     2. Resource with single scope and permission with multiple scopes, of
>     which one of them is the resource scope does not work (auth not
>     granted).
>
>
>     Scope set on resource to me means: this is all the things the
>     resource
>     owner is allowed to do with it.
>
>     Scope set on permission to me means: apply this policies if either of
>     these scopes is needed. That does not seem to be the case tho,
>     according
>     to point #2.
>
>
>     Can someone shed some light how scope set on resource resolves
>     against
>     permission scope set?
>
>
>     Best regards, cen
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list