[keycloak-user] Evaluating scope-based permissions
David Sautter
David.Sautter at rohde-schwarz.com
Wed Dec 11 02:41:03 EST 2019
Sure, will do.
Thank you!
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter at rohde-schwarz.com<mailto:David.Sautter at rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Tuesday, December 10, 2019 8:48 PM
To: Sautter David 1DS5 <David.Sautter at rohde-schwarz.com>
Cc: keycloak-user at lists.jboss.org
Subject: *EXT* Re: [keycloak-user] Evaluating scope-based permissions
If you are enforcing access to your app based on scopes you won't be able to perform the action because it is missing.
But I agree, I also think we should just return a DENY for that case. I can't remember now the use case we had in mind for it, but I'm glad to review this and change.
It should be a matter of ignoring resources associated with policies when they are scope-based. Would you mind creating a JIRA (so we can track the reporter)?
Regards.
Pedro Igor
On Tue, Dec 10, 2019 at 2:17 PM David Sautter <David.Sautter at rohde-schwarz.com<mailto:David.Sautter at rohde-schwarz.com>> wrote:
Hi,
in Authorization Services there is something that feels like a unintuitive thing – or bug – to me:
In Authorization Services, I have a Resource R1, there are three associated scopes S1,S2,S3.
I create a scope based permission + user-based policy to allow a user u1 access to R1 only for S1.
Now I evaluate:
· Can u1 do S1 on R1? -> permit
· Can u1 do S2 on R1? -> permit (WAT?)
I see, that the second case returns permit with no scopes, but I would expect deny.
Is this intended behavior and I would need to filter this again after evaluation?
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter at rohde-schwarz.com<mailto:David.Sautter at rohde-schwarz.com><mailto:David.Sautter at rohde-schwarz.com<mailto:David.Sautter at rohde-schwarz.com>>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list