Hello,
Did any of you guys had this issue:
If first scope in the resource is invalid (denied) it returns access denied, doesn’t check if second one is valid.
If the first scope is valid and second invalid it works fine.
The decision strategy is affirmative on permission and client.
It doesn’t matter if the response mode is decision or permissions.
Example:
First request
curl --location --request POST '../auth/realms/Test/protocol/openid-connect/token' \
--header 'Authorization: Bearer {access_token}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'audience=client' \
--data-urlencode 'permission=Resource#Invalid scope, Valid scope' \
--data-urlencode 'response_mode=decision'
result:
{
"error": "access_denied",
"error_description": "not_authorized"
}
Second request
curl --location --request POST '../auth/realms/Test/protocol/openid-connect/token' \
--header 'Authorization: Bearer {access_token}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'audience=client' \
--data-urlencode 'permission=Resource#Valid scope, Invalid scope' \
--data-urlencode 'response_mode=decision'
result:
{
"result": true
}