Replies: 3 comments
-
|
I just ran into this as well. I have a single resource, "workspace1" with two scopes, "workspace:read" and "workspace:write". When I send the following request, I get a curl --location 'http://localhost:8080/realms/realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer <TOKEN>' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'audience=be-client' \
--data-urlencode 'response_mode=decision' \
--data-urlencode 'permission=workspace1#workspace:write' \
--data-urlencode 'permission=workspace1#workspace:read'
{
"result": true
}I would expect this to return When I only enter the "workspace:write" scope, it seems to work correctly: curl --location 'http://localhost:8080/realms/realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer <TOKEN>' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'audience=be-client' \
--data-urlencode 'response_mode=decision' \
--data-urlencode 'permission=workspace1#workspace:write'
{
"error": "access_denied",
"error_description": "not_authorized"
} |
Beta Was this translation helpful? Give feedback.
-
|
Same here, did you find a resolution? |
Beta Was this translation helpful? Give feedback.
-
|
I also have this problem. When requesting two permissions i expect to get "access_denied" when i don't have all of the permissions. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
This is in relation to https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions.
I think this might be a bug, but I'm not sure.
I have defined two "Resources", one called "Namespaces" and one called "Pipelines". The URI patterns are
/Namespaces/*and/Pipelines/*respectively. There is a scope calledRead, and it is associated with both resources.I have written policies and permissions such that a client has permissions on "Namespaces" but not on "Pipelines".
I am using gocloak to explore evaluation of these, using "uri" format for the requests, with pattern matching.
First, for the "Namespaces" resource on its own. Evaluating with
response-type=decisionI get:Then,
response-type=permissions:So this is working as expected.
The for the "Pipelines" resource:
Again, this is working as expected. I've not set up any permissions granting access to the "Pipelines" resource.
Now, try both together. First requesting "permissions:
(The output here is slightly ambiguous. The field "permission" has a value that is an array of two values. When encoded for the body of the request it is
permission=%2FNamespaces%2FNamespace1%23Read&permission=%2FPipelines%2FPipeline1%23Read, so I'm fairly sure that the actual body of the request has the correct content).So this is my first confusion. I can understand the output here in a way. It's returning me all of the resources I have permissions to, and what permissions I have. However, I have no way of relating that back to the original request, since the request was made in URI format. There's no way I can tell that
/Namespaces/Namespace1#Readwas granted and that/Pipelines/Pipeline1#Readwas not. As a human you can tell, but only because you know what resources have been set up. But the code doesn't have that knowledge, since it's matching via URIs.I suspect that what the intention here is that I'm asking whether I have permission for both uris, and it is supposed to return me an OK response only if permission to both is granted. If that's the case, then this appears to be returning the wrong answer.
I wondered whether there was some issue with the way that the request was being constructed or parsed, such that the keycloak code only saw one of those permissions. However, it doesn't appear to make a difference which way round the permissions are requested.
Then requesting just the decision:
Surely this output is just plain wrong? I've asked for permission to access to two things, one of which I have access to and one of which I don't and the response is "Yes, sure, go ahead!".
Now maybe I'm not understanding the purpose of the API. My assumption is that the semantics of passing multiple permissions is supposed to be "AND", rather than perhaps treating them as independent for example. However, if this is the case, this appears not to work, or the request is supposed to be presented in a different form than
&permission=permission&permission=permission2Beta Was this translation helpful? Give feedback.
All reactions