Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-9093

False-Positive UMA Policy Evaluation

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide
      • Create new resource via the admin console
      • Assign two scopes "view" and "delete"
      • Create UMA policy via the protection API
      {
              "name": "urn:resources:test-resources:1",
              "description": "Grant view access",
              "scopes": ["view"],
              "users": ["my-user"]
      }
      
      • Try to obtain permissions for "delete" scope via token endpoint

      URL:

      {{keycloak_url}}/auth/realms/{{realm}}/protocol/openid-connect/token
      

      Parameters:

      grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
      audience=my-client
      response_mode=permissions
      permission=a63aba0b-0b62-4155-88ca-f24f229f1215#delete
      

      I would expect a negative evaluation, but the result from the token endpoint looks like this:

      [
          {
              "scopes": [
                  "view"
              ],
              "rsid": "a63aba0b-0b62-4155-88ca-f24f229f1215",
              "rsname": "urn:resources:test-resources:1"
          }
      ]
      

      Using the evaluation tool, I get the same confusing result:


      Show
      Create new resource via the admin console Assign two scopes "view" and "delete" Create UMA policy via the protection API { "name" : "urn:resources:test-resources:1" , "description" : "Grant view access" , "scopes" : [ "view" ], "users" : [ "my-user" ] } Try to obtain permissions for "delete" scope via token endpoint URL: {{keycloak_url}}/auth/realms/{{realm}}/protocol/openid-connect/token Parameters: grant_type=urn:ietf:params:oauth:grant-type:uma-ticket audience=my-client response_mode=permissions permission=a63aba0b-0b62-4155-88ca-f24f229f1215#delete I would expect a negative evaluation, but the result from the token endpoint looks like this: [ { "scopes" : [ "view" ], "rsid" : "a63aba0b-0b62-4155-88ca-f24f229f1215" , "rsname" : "urn:resources:test-resources:1" } ] Using the evaluation tool, I get the same confusing result:
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      I’m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint. Keycloak's "Policy Evaluation Mode" is set to "Enforcing".

      Example:
      I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA policy granting my user “view” access to this resource. If I now call the token endpoint (as suggested in the documentation) to obtain permissions for the “delete” scope by setting:

      response_mode=permissions
      permission=dataset-42#delete
      

      I get the following result:

      [{
          "scopes": ["view"],
          "rsid": "dataset-42",
          "rsname": "urn:api:resources:dataset:42"
      }]
      

      When setting “response_mode=decision”, I get:

      { "result": true }
      

      There is no policy that gives my user access to the “delete” scope anywhere, so I would expect a negative result from the token endpoint.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pcraveiro Pedro Igor Silva
                  Reporter:
                  mlamina Marco Lamina
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: