Keycloak x 17 issue with authorization and multiple scopes

Getting advice
1

Hello,
Did any of you guys had this issue:
If first scope in the resource is invalid (denied) it returns access denied, doesn’t check if second one is valid.
If the first scope is valid and second invalid it works fine.
The decision strategy is affirmative on permission and client.
It doesn’t matter if the response mode is decision or permissions.
Example:
First request

curl --location --request POST '../auth/realms/Test/protocol/openid-connect/token' \
--header 'Authorization: Bearer {access_token}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'audience=client' \
--data-urlencode 'permission=Resource#Invalid scope, Valid scope' \
--data-urlencode 'response_mode=decision'

result:

{
    "error": "access_denied",
    "error_description": "not_authorized"
}

Second request

curl --location --request POST '../auth/realms/Test/protocol/openid-connect/token' \
--header 'Authorization: Bearer {access_token}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'audience=client' \
--data-urlencode 'permission=Resource#Valid scope, Invalid scope' \
--data-urlencode 'response_mode=decision'

result:

{
    "result": true
}
2

ok …so no one had this issue?

3

Facing Same issue with keycloak-18.0.1. If same user is added to first permission it gives scopes for both permissions but doesnt work if it is not in first permission

4

@ tmanolescu

Are you able to fix this?

1 Like