Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6739

Creating UMA policy as amadmin doesn't show in user's resources

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.0.0
    • Fix Version/s: None
    • Component/s: UMA
    • Labels:
    • Environment:
      Centos 7
      Java 8
      Tomcat

      Description

      We are looking at the possibility of creating slighly more complicated policies for UMA shares (for example, time bound shares). We were told to try creating a policy using the base policy API, rather than using the UMA API.

      However, when we create an UMA policy as amadmin the user can't see the delegation in the UI.

      Here is what we did:

      1. Create a policy:

      
      curl -X POST -H "VAGRANT_SSO: AQIC5wM2LY4SfczTiAjzUCinJLvIO6P3hbaI-yLL0W713fs.*AAJTSQACMDIAAlNLABQtMjcyMDU2NDAyODE3OTkwNTIwNwACUzEAAjAx*" -H "Content-Type: application/json" -H "Cache-Control: no-cache" -H "Postman-Token: 0d094d0a-d9e2-804d-6b07-0a4edef61489" -d '{
            "name": "test",
            "active": true,
            "description": "",
            "applicationName": "testharness-oauth-agent",
            "actionValues": {
              "http://test-harness.delegations.org.nz/view": true
            },
            "resources": [
              "uma://15bf6280-e5a4-4272-a20d-e161bfc051313"
            ],
            "subject": {
              "type": "JwtClaim",
              "claimName": "sub",
              "claimValue": "id=demo,ou=user,dc=opensso,dc=java,dc=net"
            },
            "resourceTypeUuid": "15bf6280-e5a4-4272-a20d-e161bfc051313"
      }' 'https://sso.vagrant.delegations.org.nz/sso/json/policies/?_action=create'
      
      

      Then listing all the policies (as amadmin) I can see it:

      
      curl ... https://sso.vagrant.delegations.org.nz/sso/json/policies?_queryId=all
      
          {
            "name": "Example - add62e65-f54c-43d9-b5af-234b7cb598ce - 99feb1c3-552a-472e-8d49-b96ee4bd95570--1592143489",
            "active": true,
            "description": "",
            "applicationName": "testharness-oauth-agent",
            "actionValues": {
              "http://test-harness.delegations.org.nz/view": true
            },
            "resources": [
              "uma://99feb1c3-552a-472e-8d49-b96ee4bd95570"
            ],
            "subject": {
              "type": "JwtClaim",
              "claimName": "sub",
              "claimValue": "id=demo,ou=user,dc=opensso,dc=java,dc=net"
            },
            "resourceTypeUuid": "99feb1c3-552a-472e-8d49-b96ee4bd95570",
            "lastModifiedBy": "id=amadmin,ou=user,dc=opensso,dc=java,dc=net",
            "lastModifiedDate": "2015-08-27T23:02:24.206Z",
            "createdBy": "id=add62e65-f54c-43d9-b5af-234b7cb598ce,ou=user,dc=opensso,dc=java,dc=net",
            "creationDate": "2015-08-27T22:53:52.523Z"
          }
      
      

      I can check that the policy is working (the subject has access to the UMA resource)

      But if I log in as the resource owner, I can't see the delegation in the dashboard.

      (Looking briefly through the code it appears the UMA dashboard endpoints rely on the createdby attribute. As this policy has to be created by amadmin, the user cannot see it)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jamiec@datacom.co.nz Jamie Cavanaugh [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: