[keycloak-user] shared UMA 2.0 resource & scope based policies
Marek Lindner
mareklindner at neomailbox.ch
Tue Jan 15 10:47:56 EST 2019
Hi,
I am working on a keycloak setup trying to replicate the photoz example. The
'test' realm is configured as follows:
* UMA enabled
* has a client 'photoz' with Authorization enabled
* 2 authorization scopes: album:view & album:modify
* each scope has a scope-based 'only owner' permission associated (Javascript)
* 2 users: alice and bob
Alice creates a new album resouce with the following request:
POST /auth/realms/test/authz/protection/resource_set
{"name": "Amazing sunsets", "owner": "alice", "ownerManagedAccess": "true",
"uri": "/albums/100", "type": "album", "resource_scopes": ["album:view",
"album:modify"]}
Simulating Bob accessing album "Amazing sunsets" using the authorization
evaluation tab, returns permission denied for both scopes (view & modify) as
expected.
Now, Alice shares "Amazing sunsets" via the account management interface but
limits the scope to 'view' by sharing 'album:view' only.
Back to evaluating Bob's access:
* Scope album:view on "Amazing sunsets" is granted (yay!).
* Scope album:modify on "Amazing sunsets" also is granted ??
Why would Bob get full access if Alice only shared album:view ? The evaluation
output even states that the granted album:view access was the reason why
access to album:modify is granted too (see attached screenshot for details).
Does anybody have a suggestion what I am missing here ?
Thanks,
Marek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: permission_evaluation_bob.png
Type: image/png
Size: 38115 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190115/0d6d206c/attachment-0001.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190115/0d6d206c/attachment-0001.bin
More information about the keycloak-user
mailing list