Keycloak -18.0.1 issue with authorization and multiple polices/permissions

[Gagan Noor Singh]

Hi, we are getting issue with multiple policies/permission.

1. Policy A - user A with scope A,B,C works fine.
2. Policy B - user B with scope B,C,D gives 403.

If User B is added to Policy A it works fine and retunes combined result of scope A,B,C,D

Both Policies are Positive and Both Permissions are Affirmative.

In Evaluate page it shows as expected but from Postman it gives error

JSON from Authorization Export

{
“allowRemoteResourceManagement”: false,
“policyEnforcementMode”: “ENFORCING”,
“resources”: [
{
“name”: “ResourceA”,
“type”: “urn:generic-rest-api:resources:employees”,
“ownerManagedAccess”: false,
“attributes”: {},
“_id”: “1b41c828-b78f-44da-84ab-e62a0b4843b5”,
“uris”: [
“/v1/employees/"
],
“scopes”: [
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:admindescription:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:accessRole:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:address:view”
}
]
},
{
“name”: “ResourceB”,
“type”: “urn:generic-rest-api:resources:employees”,
“ownerManagedAccess”: false,
“displayName”: “ResourceB”,
“attributes”: {},
“_id”: “6237e427-55ef-4c1e-9e3d-714e5bfe31c9”,
“uris”: [
"/v1/employees/”
],
“scopes”: [
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:admindescription:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:companyid:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:authorizedAmount:view”
}
]
},
{
“name”: “Default Resource”,
“type”: “urn:employee-rest-api:resources:default”,
“ownerManagedAccess”: false,
“attributes”: {},
“_id”: “fb476666-f779-4a86-8234-d49e897f6405”,
“uris”: [
“/*”
]
}
],
“policies”: [
{
“id”: “1e08f5f3-a766-416b-9448-50716dd0580b”,
“name”: “PolicyB”,
“type”: “user”,
“logic”: “POSITIVE”,
“decisionStrategy”: “UNANIMOUS”,
“config”: {
“users”: “["UserB"]”
}
},
{
“id”: “8f90f109-0c7b-4caa-9620-50b7d36bd463”,
“name”: “Default Policy”,
“description”: “A policy that grants access only for users within this realm”,
“type”: “js”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“code”: “// by default, grants any permission associated with this policy\n$evaluation.grant();\n”
}
},
{
“id”: “c4ce02d8-cb2d-479f-ad22-82f092535b1b”,
“name”: “PolicyA”,
“type”: “user”,
“logic”: “POSITIVE”,
“decisionStrategy”: “UNANIMOUS”,
“config”: {
“users”: “["UserA"]”
}
},
{
“id”: “29f9ae37-afa9-4a98-864f-bc9f8dd7a783”,
“name”: “PermissionA”,
“type”: “resource”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“resources”: “["ResourceA"]”,
“applyPolicies”: “["PolicyA"]”
}
},
{
“id”: “3b71972f-3754-464d-99b6-f5c11e5962cc”,
“name”: “PermissionB”,
“type”: “resource”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“resources”: “["ResourceB"]”,
“applyPolicies”: “["PolicyB"]”
}
},
{
“id”: “3f21cf9d-f0b4-4b54-a3b9-5cbc4c1f060c”,
“name”: “Default Permission”,
“description”: “A permission that applies to the default resource type”,
“type”: “resource”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“defaultResourceType”: “urn:employee-rest-api:resources:default”,
“applyPolicies”: “["Default Policy"]”
}
}
],
“scopes”: [
{
“id”: “c14170f6-0ef7-416e-bde8-c394f6f3ed13”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:admindescription:view”
},
{
“id”: “1d88b211-7961-4a2b-bfae-696566366f1f”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:adusertype:view”
},
{
“id”: “bfa6a52a-46de-4e86-8c72-4ea738752cd0”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:accessRole:view”
},
{
“id”: “f646b5af-bcc4-42a5-b135-de5d0c78ac5b”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:address:view”
},
{
“id”: “50286c2a-b0b4-423b-ac99-9b7b64bdebee”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:authorizedAmount:view”
},
{
“id”: “08140d1b-1c51-4563-96c4-4f6a628e9933”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:companyid:view”
}
],
“decisionStrategy”: “UNANIMOUS”
}