[keycloak-user] [keycloak-dev] How to share a resource with a user via UMA 2.0 API
Federico Michele Facca
federico.facca at martel-innovate.com
Fri May 11 17:43:41 EDT 2018
Hi,
On 11 May 2018 at 18:04, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>
> On Fri, May 11, 2018 at 10:19 AM, Federico Michele Facca <
> federico.facca at martel-innovate.com> wrote:
>
>>
>> Now the first question was how to “share” directly a resource with a user.
>>
>> Currently using the API, supposing I am user A and I want to access a
>> resource Z from user B, we proceed as follow (i hope is the correct way…
>> any correction or guidance will be appreciated):
>>
>> 1. We create a permission request on the API (to get the ticket). E.g.
>> read resource x
>>
>> 2. We use the ticket to ask for a rtp token using a user token.
>>
>> curl --request POST \
>> --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-con
>> nect/token \
>> --header 'Authorization: Bearer xxx' \
>> --header 'Content-Type: application/x-www-form-urlencoded' \
>> --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-
>> ticket&ticket=xxxx'
>>
>> If the user has already access, then he gets the rtp, if not he gets:
>>
>> {
>> "error": "access_denied",
>> "error_description": "request_submitted"
>> }
>>
>> Only in this moment the permission ticket i created at step 1 appears in
>> the list of permissions. (I am not sure this is the intended behaviour
>> though).
>>
>
> Yeah, that is the expected behavior. But you can also use a request
> parameter to tell to the token endpoint that you don't want to submit an
> authorization request. See https://www.keycloak.org/
> docs/latest/authorization_services/index.html#_service_authorization_aat.
>
>
>>
>> Then is up to the owner to authorise access (via API we can do that by
>> updating the permission and set granted to true)
>>
>> Now let’s suppose that I am the owner of the resource A, and I want to
>> authorise directly (without the user asking access to the resource A)
>> the user Z to access it. How can I do that? At the time being I could not
>> figure it out.
>>
>
> Similar to the update method, you can use the create method to create
> permissions. Is that what you are looking for ? See org.keycloak.testsuite.
> authz.PermissionManagementTest#testCreatePermissionTicketWithResourceName.
>
from what i see in the code, permission are persisted only when we invoking
the token api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
so in my understanding there is now way (assuming I am the owner of the
resource) to store directly the permission (with grant=true), which would
what
could be the way a user could share directly his resources as it is now
possible in the interface.
am I wrong?
i am lost... i see that in the code you refer to i see that you invoke
the token
api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket you are
setting
the claim using the accessToken, but i don't see what this has to do with
the ability of a resource owner to grant directly the access to a resource
(i.e. creating a permission with grant = true)
--
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/> - Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>
More information about the keycloak-user
mailing list