Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-9339

Rpt permissions do not stack across clients

    Details

    • Type: Feature Request
    • Status: Triage (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 4.7.0.Final
    • Fix Version/s: None
    • Component/s: Authorization Services
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Rpt permissions only stack if resource is for the same audience (KC client). If you call 2 different APIs protected with 2 different KC clients, permissions in RPT do not stack.

      When using entitelments API, this problem goes further and result in 403 from keycloak when trying to get the second entitelment. This makes me think this limitation is deliberate but I can't see any reason why that is.

      In microservice world, this means API calls to different microservices result in RPT token permissions being flushed all the time, increasing number of calls, causing worse performance than necessary.

      Relavant docs: https://www.keycloak.org/docs/4.8/authorization_services/#_service_obtaining_permissions

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                pcraveiro Pedro Igor Silva
                Reporter:
                cen cen cen
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: