[keycloak-user] Keycloak 4

Pedro Igor Silva psilva at redhat.com
Wed Jun 27 12:03:42 EDT 2018 

Federico is actually the father of the Policy API :)

On Wed, Jun 27, 2018 at 1:01 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Wed, Jun 27, 2018 at 12:21 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> That's great, I was able to "share" a resource in my account console.
>> As a keycloak admin, where to see all the sharings performed by users?
>>
>
> We don't have this in admin console. The user-managed policies are hidden
> in the admin console, the reason being to avoid admins changing them
> without user consent. This was a tuff decision and I'm open to discuss
> different ideas if you think differently.
>
>
>>
>> Also, how to take into account this sharing in permission evaluation?
>> Should I write specific policies to take into resource sharing?
>> For instance, I have a javascript policy to authorize the resource owner
>> to access his resource.
>> Should I write a "is shared with you" policy?
>>
>
> If you do that, you are just defining a regular policy it will not be
> enough to let the user manage permissions via My Resources. This is how you
> could achieve the "sharing" functionality before the latest changes to UMA.
>
> However, we have also introduced a Policy API to the Protection API. From
> this API you are able to create additional "user-managed" permissions and
> still have your users able to manage them via My Resources. Documentation
> is also updated in upstream/master.
>
> This API basically allows you to define additional permissions to a user's
> resource such as using roles, groups, clients or even conditions using JS.
>
>
>>
>>
>>
>>
>>
>> On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Think we are missing this in docs :)
>>>
>>> You need to enable "User-Managed Access" in Realm Settings (General tab).
>>>
>>> On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> OK, interesting: I didn't know about this console :)
>>>> I can access it with my "test" user, but I don't see the "My Resources"
>>>> menu entry (see screenshot).
>>>> I created some resources owned by that user (using the API). But they
>>>> don't show up.
>>>> What did I missed?
>>>>
>>>> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Yeah, you can access those claims in a JS policy.
>>>>>
>>>>> Regarding the "account management console" take a look here:
>>>>> https://www.keycloak.org/docs/latest/authorization_ser
>>>>> vices/index.html#_service_authorization_api_aapi.
>>>>>
>>>>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Ok, I see the "claim_token" parameter in the request.
>>>>>> I guess you can retrieve those claims in a javascript rule, from the
>>>>>> evaluation context.
>>>>>>
>>>>>> By the way, I still cannot figure out where is the "account
>>>>>> management console", where user can manager users access (as per the
>>>>>> release notes)??
>>>>>>
>>>>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> The new form of obtaining entitlements relies solely on the token
>>>>>>> endpoint just like when you are obtaining access tokens using other OAuth2
>>>>>>> grant types. With that in mind the new format of the request should be a
>>>>>>> HTTP POST + parameters. Check this documentation [1] for more details.
>>>>>>>
>>>>>>> Regarding pushing claims to your policies, there is a specific HTTP
>>>>>>> parameter that you can use to pass a Base64 encoded JSON with the claims
>>>>>>> you want to push.
>>>>>>>
>>>>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi
>>>>>>> ces/index.html#_service_obtaining_permissions
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont <
>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>
>>>>>>>> Thanks Pedro, I went through the pull request.
>>>>>>>> I'm not sure how to modify my entitlement requests?
>>>>>>>> For example I have:
>>>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>>>>> Bearer $TOKEN" -d '{
>>>>>>>>     "permissions" : [
>>>>>>>>         {
>>>>>>>>             "resource_set_name" : "Sensors",
>>>>>>>>             "scopes" : [
>>>>>>>>                 "sensors:update"
>>>>>>>>             ]
>>>>>>>>         }
>>>>>>>>     ]
>>>>>>>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/
>>>>>>>> waziup"
>>>>>>>>
>>>>>>>> This call has been moved to uma-2, right?
>>>>>>>> Can I add pushed claims to this call? What I'm imagining is:
>>>>>>>>
>>>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>>>>> Bearer $TOKEN" -d '{
>>>>>>>>     "permissions" : [
>>>>>>>>         {
>>>>>>>>             "resource_set_name" : "Sensors",
>>>>>>>>             "scopes" : [
>>>>>>>>                 "sensors:update"
>>>>>>>>             ]
>>>>>>>>         }
>>>>>>>>     ],
>>>>>>>>     claims: ["owner": "cdupont"]
>>>>>>>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/
>>>>>>>> waziup"
>>>>>>>>
>>>>>>>> In this example, I would like to push the owner of the sensor
>>>>>>>> ("cdupont"), which I take from our own database before calling the API.
>>>>>>>>
>>>>>>>> Sorry about the questions, maybe I should just wait that the
>>>>>>>> documentation is merged :)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva <
>>>>>>>> psilva at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> We have a few changes to docs that were not released because the
>>>>>>>>> PR [1] was not merged on time. But you can check about pushed claims (if
>>>>>>>>> you are using our adapters) here [2].
>>>>>>>>>
>>>>>>>>> Regards.
>>>>>>>>> Pedro igor
>>>>>>>>>
>>>>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402
>>>>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi
>>>>>>>>> ces/index.html#_enforcer_claim_information_point
>>>>>>>>>
>>>>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont <
>>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi guys,
>>>>>>>>>> I'm playing with the new version of Keycloak (
>>>>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html)
>>>>>>>>>>
>>>>>>>>>> I have some questions:
>>>>>>>>>> - where is the "account management console"?
>>>>>>>>>> - How to use pushed claims? Which APIs are affected?
>>>>>>>>>>
>>>>>>>>>> Thanks!
>>>>>>>>>> Corentin
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the keycloak-user mailing list