[keycloak-user] UMA policy API

Pedro Igor Silva psilva at redhat.com
Mon Jul 9 16:28:57 EDT 2018


Permissions created through UMA flow are not supposed to be managed via
uma-policy endpoint. But additional permissions you want to grant to a
resource on behalf of the resource owner (using roles, groups, clients or
js conditions).

That is why you don't see "users"/"recipients" in the response.

To manage permissions created based on UMA tickets you would need to use
the "/permission/ticket" endpoint which allows you to manage tickets. Need
to update docs with this endpoint though...

On Mon, Jul 9, 2018 at 1:34 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> HI guys,
> I started playing with the UMA API...
> In the UI, I defined a resource shared with 2 persons.
> Here is what I get when I query the API:
>
> curl
> http://localhost:8080/auth/realms/waziup/authz/protection/uma-policy?
> resource=5f2eda15-4d6c-4a20-a22a-7de109998b22
> -H "Authorization: Bearer $USERTOKEN" | jq
> [
>   {
>     "id": "4cad9948-12a8-4178-87a8-983509169a2d",
>     "name": "028a265c-4cfb-4ef8-9d35-10a3360851df",
>     "type": "uma",
>     "scopes": [
>       "sensors:create",
>       "sensors:view",
>       "sensors:update"
>     ],
>     "logic": "POSITIVE",
>     "decisionStrategy": "UNANIMOUS",
>     "owner": "2ecfae24-f340-4ad0-a12e-02cdc60cd8ba"
>   },
>   {
>     "id": "f8a10074-49b4-4ab7-b873-eca27b336e35",
>     "name": "7b24a369-a0c5-471f-9b94-f3c88a78ae79",
>     "type": "uma",
>     "scopes": [
>       "sensors:create",
>       "sensors:delete",
>       "sensors:view",
>       "sensors:update"
>     ],
>     "logic": "POSITIVE",
>     "decisionStrategy": "UNANIMOUS",
>     "owner": "2ecfae24-f340-4ad0-a12e-02cdc60cd8ba"
>   }
> ]
>
> Where can I find the resource id and the recipient of the sharing?
> What is "name"?
> The doc seems to say that {id} is the resource id:
>
> http://${host}:${port}/auth/realms/${realm_name}/authz/
> protection/uma-policy/{resource_id}
>
> But that doesn't seem to be the case.
>
> Another question, is there an API where I can find all the regular
> policies/permissions, defined in the "Authorization" tab in Keycloak admin
> console?
> I don't see them in UMA API.
>
> Thank a lot!!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list