[keycloak-user] Problem understanding authorization grants

Pedro Igor Silva psilva at redhat.com
Fri Sep 28 13:24:33 EDT 2018 

You are right, there is a bug there.

The problem is that evaluation is also evaluating UMA permissions for
resource owners and if there is no "resource-based permission" for the
resource it will result in a deny. So far, we have been considering UMA
where at least one permission is granting access to the resource. When
using only scope permissions, the issue shows up. If you could at least
define a permission that is evaluated for all your resources (define a type
for your resources + a permission for this type), you should work around
this.

I've submitted a fix to https://issues.jboss.org/browse/KEYCLOAK-8445.

Regards.
Pedro Igor

On Fri, Sep 28, 2018 at 1:22 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> What permissions did you actually get in the token ? Wondering if this is
> an issue with the evaluation tool report.
>
> Regards.
> Pedro Igor
>
> On Fri, Sep 28, 2018 at 1:03 PM Ulrik Sjölin <ulrik.sjolin at gmail.com>
> wrote:
>
>> Hello,
>>
>> My name is Ulrik Sjölin and where I work we are currently looking into
>> Keycloak (4.4). I have a question regarding permissions and policy
>> evaluation.
>>
>> My very simple setup is like this:
>>
>> User Alice owns Alice_Resource which has 5 scopes (Admin, Peek, Read,
>> Write, Delete)
>> User JDoe owns JDoe_Resource which has the same scopes as Alice_Resource
>> User JDoe has given user Alice Peek, Read, Write access to JDoe_Resource
>> via the Keycloak web UI.
>>
>> There a 5 scope-based permissions, one for each scope, that allows the
>> owner & admin each scope (Only Owner and Administrators Policy). My idea
>> here is that the owner of a resource
>> should not have to add the permissions on himself to be able to access the
>> resource.
>>
>> I now run evaluate and I get a surprising result:
>>
>> Input:
>> User JDoe
>> Resource: JDoe
>> Scope: Any
>>
>> Output:
>> Result
>> PERMIT
>> Scopes
>> Delete
>> Admin
>> Policies
>> Resource owner (jdoe at keycloak.org) grants access to alice at keycloak.org
>> decision was DENY by UNANIMOUS decision. Denied Scopes: Read, Write, Peek.
>> Read Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
>> Granted Scopes: Read.
>> Only Owner and Administrators Policy voted to PERMIT .
>> Write Entity Resource Permission decision was PERMIT by UNANIMOUS
>> decision.
>> Granted Scopes: Write.
>> Only Owner and Administrators Policy voted to PERMIT .
>> Delete Entitiy Resource Permission decision was PERMIT by UNANIMOUS
>> decision. Granted Scopes: Delete.
>> Only Owner and Administrators Policy voted to PERMIT .
>> Admin Entity Resource Permission decision was PERMIT by UNANIMOUS
>> decision.
>> Granted Scopes: Admin.
>> Only Owner and Administrators Policy voted to PERMIT .
>> Peek Entity Resource Permission decision was PERMIT by AFFIRMATIVE
>> decision. Granted Scopes: Peek.
>> Peek resource role policy voted to PERMIT .
>> Only Owner and Administrators Policy voted to PERMIT .
>>
>>
>> I would expect JDoe to have full access to his resource since he is the
>> owner and all the policies are reporting PERMIT. It is the top DENY that I
>> can’t wrap my head around.
>> The grants JDoe has given to Alice are removed from his own grants list,
>> is
>> this expected behavior? Why do grants to user Alice affect the grants of
>> user JDoe?
>>
>> Best Regards,
>>
>> Ulrik
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list