Hi @dasniko
I am testing it based the documentation link you provided, but facing an issue
I have created two resources
scopes
Two policies
And two permissions
but when I call this api
curl --location 'http://localhost:7089/realms/erp/protocol/openid-connect/token' \
--header 'Authorization: Bearer <TOKEN>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'audience=erp-client' \
--data-urlencode 'permission=/erp/api/rr#read' \
--data-urlencode 'permission_resource_matching_uri=true' \
--data-urlencode 'permission_resource_format=URI' \
--data-urlencode 'response_mode=permissions'
Its returning success
[
{
"scopes": [
"read",
"delete",
"write"
],
"rsid": "b1fffb3a-ec67-4f4b-b25e-06df42bb2c67",
"rsname": "erp-api-customer-all"
}
]
even though the user doesn’t have access to that uri.
Even if I don’t pass anything in permission this api is returning success , if any permission is associated with the role of the user.
if I remove the permission associated with the role of the user in my case (cs_admin:erp-api-customer-all)
then its returning
{
"error": "access_denied",
"error_description": "not_authorized"
}
am I doing anything wrong here?