Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-5726

Support define enforcement mode for scopes on the adapter configuration

    Details

      Description

      Currently, if a resource is configured with multiple scopes and only one scope is granted, the policy enforcer does disallow access to the resource.

      The behavior is correct when the adapter config is defined in a way that specific methods are defined with their corresponding scopes. However, when using the default configuration (policy-enforcer: {}) the behavior blocks access to the resource, even though at least one scope is granted.

      We should also support a configuration option to the policy enforcer config that allow users to specific the enforcement mode for scopes as ALL or ANY. Something like:

           "methods" : [
                {
                  "path" : "/album/*",
                  "method": "POST",
                  "scopes" : ["read", "write"],
                  "scopes-enforcement-mode": "ANY | ALL"
                }
           ]
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                pcraveiro Pedro Igor
                Reporter:
                pcraveiro Pedro Igor
                Tester:
                Michal Hajas
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: