[keycloak-user] Unspecified behavior of token endpoint when obtaining permissions

Pedro Igor Silva psilva at redhat.com
Wed Nov 14 07:05:12 EST 2018 

+1. However, that issue that was fixed only impact scope-based permissions.

On Wed, Nov 14, 2018 at 5:34 AM Geoffrey Cleaves <geoff at opticks.io> wrote:

> Sounds like a bug. I know there is a bug in the policy evaluation code that
> can result in some permissions being missed and I understand that it will
> be fixed in 4.6.
>
> That being said, when I request all the permissions for the token's owner,
> I do get the expected result except for some missing scopes due to said
> bug. Are you sure your policies are built correctly? Did you build a policy
> granting permissions to resource owners?
>
> On Wed, Nov 14, 2018, 00:52 Lamina, Marco <marco.lamina at sap.com wrote:
>
> > Hi,
> > I am trying to use Keycloak’s token endpoint to obtain a list of all
> > resources and the respective scopes that a user has permission to access.
> > However, the behavior I am observing does not match what is described in
> > the documentation (Link [1]). I am using the token endpoint as shown in
> > Link [2].
> >
> > Expected behavior:
> > Token endpoint returns a list of all resources and scopes that the
> token’s
> > user has permission to access.
> >
> > Observed behavior:
> > Token endpoint only returns resources that are owned by either the
> token’s
> > user or the resource server itself. Resources owned by other users are
> not
> > listed, even though the token’s user has permission to access them.
> >
> > Is that a bug or expected behavior?
> >
> > Links:
> >
> > [1]
> >
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
> > [2]
> >
> https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545
> >
> > Thanks,
> > Marco
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list