[keycloak-user] Evaluating scope-based permissions

Pedro Igor Silva psilva at redhat.com
Tue Dec 10 14:47:46 EST 2019


If you are enforcing access to your app based on scopes you won't be able
to perform the action because it is missing.

But I agree, I also think we should just return a DENY for that case. I
can't remember now the use case we had in mind for it, but I'm glad to
review this and change.

It should be a matter of ignoring resources associated with policies when
they are scope-based. Would you mind creating a JIRA (so we can track the
reporter)?

Regards.
Pedro Igor

On Tue, Dec 10, 2019 at 2:17 PM David Sautter <
David.Sautter at rohde-schwarz.com> wrote:

> Hi,
> in Authorization Services there is something that feels like a unintuitive
> thing – or bug – to me:
> In Authorization Services, I have a Resource R1, there are three
> associated scopes S1,S2,S3.
> I create a scope based permission + user-based policy to allow a user u1
> access to R1 only for S1.
> Now I evaluate:
>
> ·         Can u1 do S1 on R1? -> permit
>
> ·         Can u1 do S2 on R1? -> permit   (WAT?)
> I see, that the second case returns permit with no scopes, but I would
> expect deny.
> Is this intended behavior and I would need to filter this again after
> evaluation?
>
> Mit freundlichen Grüßen/ Best Regards,
> David Sautter
>
> Rohde & Schwarz GmbH & Co. KG
> Postbox 80 14 69, D-81614 Muenchen
> Dept. 1DS5
> Fon: +49 89 4129 15256
> Email: David.Sautter at rohde-schwarz.com<mailto:
> David.Sautter at rohde-schwarz.com>
>
> Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten
> Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich
> und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung,
> Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den
> beabsichtigten Adressaten ist verboten.
> Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie
> bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
>
> If you are not the intended recipient of this message, you are hereby
> notified that any dissemination, use or distribution of this message is
> unauthorized and prohibited. Please immediately notify the sender that you
> have received this mes-sage and destroy the original.
> Although this message has been checked for viruses, it is not guaranteed
> to be virus-free. You are strongly advised to perform another virus check
> of any attachment before opening it.
>
> Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender /
> Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of
> Business: München, Registereintrag / Commercial Register No.: HRA 16 270,
> Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG
> Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business:
> München, Registereintrag / Commercial Register No.: HRB 7 534,
> Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE
> 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240
> 437 86
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list