Hi everybody,
I’m setting up keycloack (version 15.0.2) for securing REST API in a microservices environment and looks like there is either a problem in the documentation or I am missing something, so looking for help.
The problematic setup seems quite straightforward, I have a client that acts as the resource server in which I’ve defined a resource, let’s call it “Resource-A” and this resource has 2 resource-permission registred: “Permission-A” and “Permission-B”.
For “Permission-A” a client policy is defined and for “Permission-B” there is a role policy.
Now, having setted the resource server decision strategy to “affirmative”, as for documentation
“As an example, if two permissions for a same resource or scope are in conflict (one of them is granting access and the other is denying access), the permission to the resource or scope will be granted if the choosen strategy is Affirmative
. Otherwise, a single deny from any permission will also deny access to the resource or scope.” I think that the access should be granted when one of the two permission is evaluated to permit but that’s not what heappening, and I always end up with a deny.
I found this previous topic but looks like nobody answered to it
https://www.keycloak.org/docs/latest/authorization_services/
Thanks in advance,
greetings.