[keycloak-user] shared UMA 2.0 resource & scope based policies

[Marek Lindner]

Hi,

I am working on a keycloak setup trying to replicate the photoz example. The 
'test' realm is configured as follows:

* UMA enabled
* has a client 'photoz' with Authorization enabled
* 2 authorization scopes: album:view & album:modify
* each scope has a scope-based 'only owner' permission associated (Javascript)
* 2 users: alice and bob

Alice creates a new album resouce with the following request:

POST /auth/realms/test/authz/protection/resource_set
{"name": "Amazing sunsets", "owner": "alice", "ownerManagedAccess": "true", 
"uri": "/albums/100", "type": "album", "resource_scopes": ["album:view", 
"album:modify"]}

Simulating Bob accessing album "Amazing sunsets" using the authorization 
evaluation tab, returns permission denied for both scopes (view & modify) as 
expected.

Now, Alice shares "Amazing sunsets" via the account management interface but 
limits the scope to 'view' by sharing 'album:view' only. 

Back to evaluating Bob's access:
* Scope album:view on "Amazing sunsets" is granted (yay!).
* Scope album:modify on "Amazing sunsets" also is granted ??

Why would Bob get full access if Alice only shared album:view ? The evaluation 
output even states that the granted album:view access was the reason why 
access to album:modify is granted too (see attached screenshot for details).  

Does anybody have a suggestion what I am missing here ?

Thanks,
Marek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: permission_evaluation_bob.png
Type: image/png
Size: 38115 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190115/0d6d206c/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190115/0d6d206c/attachment-0001.bin