[keycloak-dev] User Managed Access and UMA 2.0 Changes

Pedro Igor Silva psilva at redhat.com
Fri Aug 4 10:15:33 EDT 2017

Hey All,

Sorry for the long message, but I tried to highlight some important bits of
what I'm doing :) I'm not done yet, so here are the ideas I'm considering

I'm almost done with the initial changes to get the user managed access
bits of UMA.

Basically, this is about providing the backbone in order to support use
cases such as resource sharing, authorization flows and users capable of
managing their own resources.

A really interesting feature set for IoT use cases as well those looking
for giving more privacy control to their users (not only the security).

In a nutshell, we have now a new entity in our model:

* PermissionTicketEntity

This entity holds all information we need in order to know which
resource/scope was requested and when. Plus any additional claims the RS
wants to associated with a permission request.

This entity will allow us to perform:

* Queries to obtain the person/entity that need to approve a permission
* Queries to obtain the person/entity looking for access
* Queries to obtain the resources/scopes being requested
* For how long a permission is valid
* Which claims (contextual data pushed by the RS when issuing a permission
ticket) are associated with a permission request and need to be approved by
the owner and enforced by the RS.

As you know, the UMA flow starts with a client trying to access a resource
protected by a RS. At this moment the RS issues a *permission ticket* which
then is returned to the client to give him a chance to obtain the RPT
(token with the actual permissions) from the AS.

Two things here:

* Only resources that support "user/owner managed access" are supposed to
have permission tickets persisted
* The RS can set additional claims to the permission ticket in order to
provide contextual data for policies and let them take any decision
considering this data. E.g: I need to withdraw some money from my wife's
bank account, but she just want to let me do it if the amount is <= $100

Basic sharing will be based on a simple approval/reject of a permission
request (permission ticket).

Please, let me know what you think.


More information about the keycloak-dev mailing list