Authorization using decision response_mode giving incorrect data #30694
Comments
keycloak-github-bot
bot
added
area/authorization-services
keycloak-github-bot
bot
added
status/auto-expire
status/missing-information
and removed
status/triage
action/old-release
labels
|
Hi, I have tested the same configuration on Keycloak 25.0.1 and see the same behaviour there too. User is not allowed "manage" access on "Resource2". With only below body, it works fine. Request body: Response: However, when trying to check for both resources as shown below, it gives incorrect result. Request body: grant_type: "urn:ietf:params:oauth:grant-type:uma-ticket" Response: |
keycloak-github-bot
bot
added
status/triage
and removed
status/missing-information
status/auto-expire
labels
|
Thanks for confirming that @mnsudhan86 |
|
@mnsudhan86 Can you please check the permissions actually granted by changing The |
|
Hi @pedroigor I changed response_mode to permissions and below is the result. [ It correctly shows that user has "manage" access to only "Resource1". Below was my request body. grant_type: "urn:ietf:params:oauth:grant-type:uma-ticket" |
|
Thanks, for trying it out. The behavior is expected. |
keycloak-github-bot
bot
closed this as not planned
|
Thanks for reporting this issue. However, after review this is not considered a valid issue, or has been recently resolved. As the issue is not valid it will be automatically closed. |
|
Hi @pedroigor Could you please explain why the behavior is deemed as expected? When user is trying "manage" operation on multiple resources, and for some of which he doesn't have access, decision mode should have replied with a "false", but it is replying with a "true" which incorrectly provides access to user even though he is not administered the access. Isn't this a bug? |
Before reporting an issue
Area
authorization-services
Describe the bug
This is w.r.t https://www.keycloak.org/docs/25.0.0/authorization_services/#_service_obtaining_permissions.
I have created following for my authorization model.
I have created 2 role based policies "Policy1" & "Policy2" each specific to "Role1" & "Role2" respectively.
I have created 2 scope based permissions as follows.
I have a user created called "testuser" who is associated with both "Role1" & "Role2". Expectation is that "testuser" is allowed "view" access on both "Resource1" & "Resource2" but is allowed "manage" access on only "Resource1".
When I query keycloak authorization, with following data
grant_type: "urn:ietf:params:oauth:grant-type:uma-ticket"
audience: "shared-client"
response_mode: "decision"
permission: "Resource2#manage"
I get correct response as below which is on expected lines as "testuser" do not have "manage" access on "Resource2"
{
"error": "access_denied",
"error_description": "not_authorized"
}
But when do a query on both resources for "manage" access, I see that keycloak authorization service is giving incorrect output.
grant_type: "urn:ietf:params:oauth:grant-type:uma-ticket"
audience: "shared-client"
response_mode: "decision"
permission: "Resource1#manage"
permission: "Resource2#manage"
Response from keycloak is as below
{
"result": true
}
which is not correct, as "testuser" do not have "manage" access on "Resource2".
Can someone please have a look at this?
Version
24
Regression
Expected behavior
Keycloak authorization service should return "access_denied" when user is not having access to few resources.
Actual behavior
Keycloak authorization service returns "true" even if user is not having access to few resources.
How to Reproduce?
Steps provided in description
Anything else?
No response
The text was updated successfully, but these errors were encountered: