[Decision Strategy] Affirmative strategy doesn't behave as expected

Hi everybody,
I’m setting up keycloack (version 15.0.2) for securing REST API in a microservices environment and looks like there is either a problem in the documentation or I am missing something, so looking for help.

The problematic setup seems quite straightforward, I have a client that acts as the resource server in which I’ve defined a resource, let’s call it “Resource-A” and this resource has 2 resource-permission registred: “Permission-A” and “Permission-B”.

For “Permission-A” a client policy is defined and for “Permission-B” there is a role policy.

Now, having setted the resource server decision strategy to “affirmative”, as for documentation
“As an example, if two permissions for a same resource or scope are in conflict (one of them is granting access and the other is denying access), the permission to the resource or scope will be granted if the choosen strategy is Affirmative . Otherwise, a single deny from any permission will also deny access to the resource or scope.” I think that the access should be granted when one of the two permission is evaluated to permit but that’s not what heappening, and I always end up with a deny.

I found this previous topic but looks like nobody answered to it
https://www.keycloak.org/docs/latest/authorization_services/

Thanks in advance,
greetings.

+1.
I got the same problem.

+10
We are facing similar issue, this seems to be strange and BIG issue for which there seem to be no answers from the Keycloak team.
I’ve found similar questions, to which there are no answers:

• https://stackoverflow.com/questions/69929923/keycloak-affirmative-strategy-doesnt-behave-as-expected
• http://keycloak.discourse.group/t/evaluate-permission-error/7492

@Keycloak , can you help us out?

• 1
  Facing the same issue, is there an update on this?

I’m also facing this problem and after some remote debugging I have created a corresponding Github issue https://github.com/keycloak/keycloak/issues/10086 and I have referenced this discussion.

After some more fiddling around with Keycloak Authz and thinking about the Keycloak source code I had debugged I found the solution:

The problem only occurs when no Authorization Scope is assigned to the resource. When you create some Authorization Scope and assign it to the resource the affirmative decision strategy with multiple permissions works as expected.

@davidep @sumitmudliar

thanks for your effort… I’ll give it a try