Shared resource doesn't appear in RPT (Requesting Party Token)

[Kevin Hertwig]

Hello all,

I have a resource that I created via the UMA compliant endpoint ...authz/protection/resource_set and set the owner to a specific user. Then I created a policy with the endpoint ...authz/protection/uma-policy/{resourceId} and the following payload:

{

"name": "test",

"description": "Test",

"type": "uma",

"scopes": ["view", "edit"],

"logic": "POSITIVE",

"decisionStrategy": "UNANIMOUS",

"users": ["userXY"]

}

Now when i query an RPT as the userXY with parameters grant_type: urn:ietf:params:oauth:grant-type:uma-ticket and audience, I would expect to see the following entry:

{

        "scopes": [

          "view",

          "edit"

        ],

        "rsid": "51b04cec-23ab-4e00-bc92-9fc49a4c9408",

        "rsname": "resourceName"

}

However, the RPT doesn't include this. When I query the permission by specifying the permission parameter to resorceName#edit I get an RPT token back with the requested permission. So the userXY has the permission to view and edit the resource, but why is this not included in the RPT?

I hope you can help me with that. Thank you in advance!

[Kevin Hertwig]

Another strange thing is, that the owner who created the resource with scopes ['view','edit','delete','share','publish'] only get's the scopes ['view','edit'] in his RPT. These are the scopes that the owner actually shared with a different user, as described above.

[Kevin Hertwig]

I also noticed, when I update the policy to ['view','edit','delete'], the userXY still doesn't get this resource in his RPT but as described above, the owner now gets ['view','edit','delete'] in his RPT. I basically want to achieve the other way around, so that the owner has no information about this resource or otherwise with the full set of scopes that the resource has and the userXY should get the resource in his RPT with the scopes as defined in the policy.

[pigor.c...@gmail.com]

Hi,

It is expected that you don't get permissions for the user `userXY` when not explicitly requesting the resource either by the `permission` parameter or when using a permission ticket. The reason for that is related to the additional costs during evaluation to resolve resources granted through custom policies.

Regards.

Pedro Igor

[Kevin Hertwig]

Hello Pedro,

isn't this a bit inconsistent? When I create resources and UMA policies with owner being the resource server itself, I get that expected behaviour. Otherwise, how would you achieve to show or hide components in the UI based on shared permissions from a user. For example, user x shares a resource with me that I only can view and not edit. How would you hide an 'edit' button inside the UI. Would you fetch permissions for each shared resource and adjust the UI?