Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8134

uma-ticket rpt token endpoint does not evaluate policies without permission value(s)

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 4.1.0.Final, 4.2.1.Final, 4.3.0.Final
    • Fix Version/s: 4.4.0.Final
    • Component/s: Authorization Services
    • Labels:
    • Environment:

      kubernetes/helm deployed keycloak 4.1.0.Final in standalone-ha config

    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Given a valid bearer token
      And a policy and resource scope permission exists
      When I request a grant-type:uma-ticket RPT token without explicit permissions
      Then the full set of authorized resources & scopes should return in the rpt token, including resources authorized by policy

      Actual: Only uma granted resources/scopes return, policies/scope permissions are not evaluated

      If I append a bogus &permission=blah#scope , then the policies & permissions are evaluated and the returned RPT token has the full permission set. It appears that any unresolveable resource/scope appended as an explicit permission causes the full set of resources to return for the specified scope.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                pcraveiro Pedro Igor
                Reporter:
                garyschulteog Gary Schulte
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: