8000 Multiple resources that match same URI with different scope cause inconsistent authorization response · Issue #40695 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Multiple resources that match same URI with different scope cause inconsistent authorization response #40695
New issue
New issue
Closed
#40698
Closed
Multiple resources that match same URI with different scope cause inconsistent authorization response#40695
#40698
Assignees
pedroigor
Labels
area/authorization-servicesIndicates an issue on Authorization areakind/bugCateg 949C orizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.0team/core-iam
@hito-dono

Description

@hito-dono
hito-dono
opened on Jun 24, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authorization-services

Describe the bug

When using the authorization, if multiple resources match the same URI, the authorization process only considers one of these resources, leading to unexpected response.

For example, similar configuration we use:

Resource A:

  • URI: /resource
  • Scope: read

Resource B:

  • URI: /resource
  • Scope: write

Permission A (Resource-based):

  • Resource A
  • Policy: user with role ROLE_READ has access

Permission B (Resource-based):

  • Resource B
  • Policy: user with role ROLE_WRITE has access

User has role ROLE_READ.

When permission "/resource#read" requested, 200 http code response received.
When permission "/resource#write" requested, 400 http code response received, but 403 code expected.

After some debugging, seems like permission evaluation does not happen. Authorization request ends on permission search for evaluation.

Version

26.2.5

Regression

  • The issue is a regression

Expected behavior

When permission "/resource#write" requested, 403 http code response received.

Actual behavior

When permission "/resource#write" requested, 400 http code response received.
{
"error": "invalid_resource",
"error_description": "Resource with id [{id}] does not exist."
}

How to Reproduce?

Create Client with Authorization On.
Create Client roles: ROLE_READ, ROLE_WRITE.

Add authorization config:

Scopes:

  • read
  • write

Resource A:

  • URI: /resource
  • Scope: read

Resource B:

  • URI: /resource
  • Scope: write

Policy A:

  • Role based, has role ROLE_READ

Policy B:

  • Role based, has role ROLE_WRITE

Permission A (Resource-based):

  • Resource A
  • Policy A

Permission B (Resource-based):

  • Resource B
  • Policy B

Execute similar authorization request, 200 http code received

curl -X POST
http://{HOST}:{PORT}/realms/{REALM}/protocol/openid-connect/token
-H "Authorization: Bearer ${ACCESS_TOKEN}"
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
--data "permission_resource_format=uri"
--data "permission_resource_matching_uri=true"
--data "audience={RESOURCE_SERVER_ID}" \
--data "permission=/resource#read"

After that, execute similar request, 400 http code received

curl -X POST
http://{HOST}:{PORT}/realms/{REALM}/protocol/openid-connect/token
-H "Authorization: Bearer ${ACCESS_TOKEN}"
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
--data "permission_resource_format=uri"
--data "permission_resource_matching_uri=true"
--data "audience={RESOURCE_SERVER_ID}" \
--data "permission=/resource#write"

Sample realm for reproduce

uri-match-realm-v2.json

Anything else?

Issue in same context was introduced there #30270

Metadata

Metadata

Assignees

Labels

area/authorization-servicesIndicates an issue on Authorization areakind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.0team/core-iam

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0