New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistent behaviour on getting user permissions using authorization #25057
Comments
@gabrielpadilh4 If you have assigned both scopes to the resource (as per the image) and the permission grants access to the resource, requesting a ticket to access the resource will end up giving you access to all scopes associated with the resource. Does it make sense? |
@pedroigor the behaviour between doing the request by resourceId and resourceName should end up with the same behaviour, right ? Also, i'm allowing just one scope, the behaviour on resourceId seems to be right, however the resourceName seems to have a bug, once i allowed just one scope to the user. If it is the same resource, the same behaviour between both endpoints is expect. |
Yeah, the behavior should be the same as both name and id are only used to look up the resource. How you are allowing just one scope? Are you using scope-based permission? |
@pedroigor yes, see the call being done below(it is the bug description also):
I inform the user, resource and scope. |
I see now ... The owner of the resource is the client and permissions are always granted to the resource owner. That is why you get both. But yeah, the difference in the response when using id/name is not correct as they should give the same result. |
@pedroigor thank you. If i can help with something else, let me know. |
@gabrielpadilh4 It is OK. I'll check why it is behaving differently. In any case, the permissions are correctly granted even though you have not explicitly asked for a scope. |
@pedroigor if a scope was explicitly asked for the user in that resource, using resourceId or resourceName should behave the same. |
Yeah, they should behave the same and expect the same set of permissions regardless of using id or name.
When evaluating UMA permissions where the subject is the resource owner you are granted any scope. As an owner I should be able to access my resource and all its scopes. |
@pedroigor thanks! |
FTR, we need to improve how permissions are evaluated when using the ID and the name of resources. Regardless of how the resource is represented in an permission request, the result should be the same. See #25057 (comment). |
…er itself Closes keycloak#25057 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
…er itself Closes #25057 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
…er itself Closes keycloak#25057 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
…er itself Closes keycloak#25057 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
…er itself Closes keycloak#25057 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
…er itself Closes #25057 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
…er itself Closes #25057 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
…er itself Closes keycloak#25057 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Before reporting an issue
Area
authorization-services
Describe the bug
On a confidential client using Authorization, create one resource with 2 scopes and User-Managed Access Enabled:
Assign the user to the permission and just one of the scopes(in my case i have assigned the scope1):
After that, query the permission by Id and by Name:
Even that i have assigned just
scope1
to thetest
resource. When calling the permissions endpoint using the resourceName, both scopes are retrieved.Version
23.0.0
Expected behavior
Only the scope assigned to the user should be retrieved by resource name or resource id.
Actual behavior
Both scopes are retrieved when using resource name.
How to Reproduce?
Create a confidential client with authorization enabled. Create one resource and 2 scopes. Assigned both scopes to the resource.
Give a permission ticket to the user using the resource and one of the scopes.
Anything else?
No response
The text was updated successfully, but these errors were encountered: