Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-19162

Authorization: Role policy evaluation defect

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • 15.0.2
    • None
    • Authorization Services
    • Hide
      • Register confidential client test-uma-rs with Authorization Enabled
      • In Roles: create client role write_country_1
      • In Authorization/Authorization Scopes: create scope countries:update
      • In Authorization/Resources: register resource Country 1 with scope countries:update
      • In Authorization/Policies: create role policy role write_country_1 with test-uma-rs's client role write_country_1
      • In Authorization/Permissions: create scope permission Write country 1 for resource Country 1 and scope countries:update and apply policy role write_country_1
      • Create user
      • Assign test-uma-rs's client role write_country_1 to created user
      • In client test-uma-rs/Authorization/Evaluate: evaluate resource Country 1 with scope countries:update for created user

      Try the same with a realm rule:

      • Create a realm role realm_write_country_1
      • Assign realm role realm_write_country_1 to user
      • In Authorization/Policies: create role policy role realm_write_country_1 with realm role realm_write_country_1
      • In Authorization/Permissions: for permission Write country 1 add role policy role realm_write_country_1, change Decision Strategy to Affirmative
      • In client test-uma-rs/Authorization/Evaluate: evaluate resource Country 1 with scope countries:update for created user
      Show
      Register confidential client test-uma-rs with Authorization Enabled In Roles: create client role write_country_1 In Authorization/Authorization Scopes: create scope countries:update In Authorization/Resources: register resource Country 1 with scope countries:update In Authorization/Policies: create role policy role write_country_1 with test-uma-rs 's client role write_country_1 In Authorization/Permissions: create scope permission Write country 1 for resource Country 1 and scope countries:update and apply policy role write_country_1 Create user Assign test-uma-rs 's client role write_country_1 to created user In client test-uma-rs /Authorization/Evaluate: evaluate resource Country 1 with scope countries:update for created user Try the same with a realm rule: Create a realm role realm_write_country_1 Assign realm role realm_write_country_1 to user In Authorization/Policies: create role policy role realm_write_country_1 with realm role realm_write_country_1 In Authorization/Permissions: for permission Write country 1 add role policy role realm_write_country_1 , change Decision Strategy to Affirmative In client test-uma-rs /Authorization/Evaluate: evaluate resource Country 1 with scope countries:update for created user
    • NEW
    • NEW
    • ---
    • ---

    Description

      Role policy evaluates DENY for user with client role.
      Role policy evaluates DENY for user with realm role.

      It works correctly in Version 13.0.1.

      I use -Dkeycloak.profile.feature.upload_scripts=enabled with 15.0.2. However, this may not have any influence on the problem.

      Attachments

        Activity

          People

            Unassigned Unassigned
            johakoch Johannes Koch
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: