Description of the bug
If a XACML request specifies more than one resource attribute:
"Resource": [
{
"Attribute": [
{
"AttributeId": "urn:altinn:resource",
"Value": "jks-test-resource",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"AttributeId": "urn:altinn:resource",
"Value": "test_resourceid",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"AttributeId": "urn:altinn:organization:identifier-no",
"Value": "910459880",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
]
Only one of the resource attributes are actually used to authorized for access, but which one?.
This should instead have resulted in a "decision": "Indeterminate", response with a "statusMessage": explaining that multiple resources in a single request is not allowed. To authorize multiple resource a multi-request should be used.
Steps To Reproduce
URL PDP Decision (internal PDP API): {{baseUrl}}/authorization/api/v1/decision
URL PDP Authorize (external PDP API): {{baseUrl}}/authorization/api/v1/authorize
Token (Authorize API requires serviceowner token with scope: altinn:authorization/authorize)
Header (Both APIs requiresubscription key header for the test-environment):
Ocp-Apim-Subscription-Key
Testuser Resource Request Body example:
{
"Request": {
"ReturnPolicyIdList": false,
"AccessSubject": [
{
"Attribute": [
{
"AttributeId": "urn:altinn:person:identifier-no",
"Value": "02056260016",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
],
"Action": [
{
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "read",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
],
"Resource": [
{
"Attribute": [
{
"AttributeId": "urn:altinn:resource",
"Value": "test_resourceid",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"AttributeId": "urn:altinn:resource",
"Value": "jks-test-resource",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"AttributeId": "urn:altinn:organization:identifier-no",
"Value": "910459880",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
]
}
}
Additional Information
No response
Description of the bug
If a XACML request specifies more than one resource attribute:
Only one of the resource attributes are actually used to authorized for access, but which one?.
This should instead have resulted in a
"decision": "Indeterminate",response with a"statusMessage":explaining that multiple resources in a single request is not allowed. To authorize multiple resource a multi-request should be used.Steps To Reproduce
URL PDP Decision (internal PDP API):
{{baseUrl}}/authorization/api/v1/decisionURL PDP Authorize (external PDP API):
{{baseUrl}}/authorization/api/v1/authorizeToken (Authorize API requires serviceowner token with scope:
altinn:authorization/authorize)Header (Both APIs requiresubscription key header for the test-environment):
Ocp-Apim-Subscription-KeyTestuser Resource Request Body example:
Additional Information
No response