Inconsistent behaviour on getting user permissions using authorization

[gabrielpadilh4]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authorization-services

Describe the bug

On a confidential client using Authorization, create one resource with 2 scopes and User-Managed Access Enabled:

Assign the user to the permission and just one of the scopes(in my case i have assigned the scope1):

#!/bin/bash
export REALM="permissions-test"
export CLIENT_ID="permission-client-default"
export CLIENT_SECRET="HumjZDHltnIixH3kLvrrfKDvPw2Q59td"export ACCESS_TOKEN=$( 
  curl \
    -d "client_id=${CLIENT_ID}" \
    -d "client_secret=${CLIENT_SECRET}" \
    -d "grant_type=client_credentials" \
    "http://localhost:8080/auth/realms/${REALM}/protocol/openid-connect/token" \
  | jq -r '.access_token'
)

curl -X POST "http://localhost:8080/auth/realms/${REALM}/authz/protection/permission/ticket" \
     -H "Authorization: Bearer ${ACCESS_TOKEN}" \
     -H "Content-Type: application/json" \
     -d '{ "resource": "8f6ccd63-8399-4266-aae4-a919c9d8776d", "requester": "084db0fc-4331-4241-9c22-89f84b8e522d", "granted": true, "scopeName": "scope1" }' | jq   

{
  "id": "47c4e482-e01d-4ef4-8dd6-277a47d634a8",
  "owner": "4a6cc3bb-9b19-4107-8a64-f36fcfbd5505",
  "resource": "8f6ccd63-8399-4266-aae4-a919c9d8776d",
  "scope": "bf5981fd-84c2-4e5e-b75c-9b993063d1cb",
  "granted": true,
  "requester": "084db0fc-4331-4241-9c22-89f84b8e522d"
}

After that, query the permission by Id and by Name:

export REALM="permissions-test"
export CLIENT_ID="permission-client-default"
export CLIENT_SECRET="HumjZDHltnIixH3kLvrrfKDvPw2Q59td"
export TEST_USER="testuser"
export TEST_USER_PASSWORD="abc123"
export RESOURCE_ID="8f6ccd63-8399-4266-aae4-a919c9d8776d"                 
export RESOURCE_NAME="test"

export ACCESS_TOKEN=$(                                                       curl \
    -d "client_id=${CLIENT_ID}" \
    -d "client_secret=${CLIENT_SECRET}" \
    -d "grant_type=password" \
    -d "username=${TEST_USER}" \
    -d "password=${TEST_USER_PASSWORD}" \
    "http://localhost:8080/auth/realms/${REALM}/protocol/openid-connect/token" \
  | jq -r '.access_token' \
)

curl -X POST http://localhost:8080/auth/realms/${REALM}/protocol/openid-connect/token \
  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "audience=${CLIENT_ID}" \
  --data "permission=${RESOURCE_ID}" \
  --data "response_mode=permissions" \
| jq

# Result by resourceID:
[
  {
    "scopes": [
      "scope1"
    ],
    "rsid": "8f6ccd63-8399-4266-aae4-a919c9d8776d",
    "rsname": "test"
  }
]



curl -X POST http://localhost:8080/auth/realms/${REALM}/protocol/openid-connect/token \
  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "audience=${CLIENT_ID}" \
  --data "permission=${RESOURCE_NAME}" \
  --data "response_mode=permissions" \
| jq    

# Result by resourceName:
[
  {
    "scopes": [
      "scope1",
      "scope2"
    ],
    "rsid": "8f6ccd63-8399-4266-aae4-a919c9d8776d",
    "rsname": "test"
  }
]

Even that i have assigned just scope1 to the test resource. When calling the permissions endpoint using the resourceName, both scopes are retrieved.

Version

23.0.0

Expected behavior

Only the scope assigned to the user should be retrieved by resource name or resource id.

Actual behavior

Both scopes are retrieved when using resource name.

How to Reproduce?

Create a confidential client with authorization enabled. Create one resource and 2 scopes. Assigned both scopes to the resource.
Give a permission ticket to the user using the resource and one of the scopes.

Anything else?

No response

[pedroigor]

@gabrielpadilh4 If you have assigned both scopes to the resource (as per the image) and the permission grants access to the resource, requesting a ticket to access the resource will end up giving you access to all scopes associated with the resource.

Does it make sense?

[gabrielpadilh4]

@pedroigor the behaviour between doing the request by resourceId and resourceName should end up with the same behaviour, right ? Also, i'm allowing just one scope, the behaviour on resourceId seems to be right, however the resourceName seems to have a bug, once i allowed just one scope to the user. If it is the same resource, the same behaviour between both endpoints is expect.
What do you think ?

[pedroigor]

Yeah, the behavior should be the same as both name and id are only used to look up the resource.

How you are allowing just one scope? Are you using scope-based permission?

[gabrielpadilh4]

@pedroigor yes, see the call being done below(it is the bug description also):

curl -X POST "http://localhost:8080/auth/realms/${REALM}/authz/protection/permission/ticket" \
     -H "Authorization: Bearer ${ACCESS_TOKEN}" \
     -H "Content-Type: application/json" \
     -d '{ "resource": "8f6ccd63-8399-4266-aae4-a919c9d8776d", "requester": "084db0fc-4331-4241-9c22-89f84b8e522d", "granted": true, "scopeName": "scope1" }' | jq   
{
  "id": "47c4e482-e01d-4ef4-8dd6-277a47d634a8",
  "owner": "4a6cc3bb-9b19-4107-8a64-f36fcfbd5505",
  "resource": "8f6ccd63-8399-4266-aae4-a919c9d8776d",
  "scope": "bf5981fd-84c2-4e5e-b75c-9b993063d1cb",
  "granted": true,
  "requester": "084db0fc-4331-4241-9c22-89f84b8e522d"
}

I inform the user, resource and scope.

[pedroigor]

I see now ... The owner of the resource is the client and permissions are always granted to the resource owner. That is why you get both.

But yeah, the difference in the response when using id/name is not correct as they should give the same result.

[gabrielpadilh4]

@pedroigor thank you. If i can help with something else, let me know.

[pedroigor]

@gabrielpadilh4 It is OK. I'll check why it is behaving differently.

In any case, the permissions are correctly granted even though you have not explicitly asked for a scope.

[gabrielpadilh4]

@pedroigor if a scope was explicitly asked for the user in that resource, using resourceId or resourceName should behave the same.
On the scenario where permissions are correctly being granted, does asking for a scope doesn't make difference ?

[pedroigor]

Yeah, they should behave the same and expect the same set of permissions regardless of using id or name.

On the scenario where permissions are correctly being granted, does asking for a scope doesn't make difference ?

When evaluating UMA permissions where the subject is the resource owner you are granted any scope. As an owner I should be able to access my resource and all its scopes.

[gabrielpadilh4]

@pedroigor thanks!

[pedroigor]

FTR, we need to improve how permissions are evaluated when using the ID and the name of resources. Regardless of how the resource is represented in an permission request, the result should be the same.

See #25057 (comment).