[keycloak-user] UMA 2.0 manage shared access with Rest-API
Pedro Igor Silva
psilva at redhat.com
Wed Nov 14 10:12:36 EST 2018
Hi, building your own service should be fine if you use parts of the API
that we provide.
1) User can manage his/her resources
Take a look at the Protection API, the Resource Management Endpoint in
particular [1].
2) Notifications and management of authorization requests
We have an undocumented endpoint that exposes the permission tickets,
which represent authorization requests pending for approval or already
approved by the resource owner. For now, you could take a look at the
app-auths-uma-photoz to check there how we are using this endpoint to fetch
"shared resources" [2].
3) Define rules for permissions that are set automatically when a new
resource is created
You have some options here. If you have typed resource (owned by the
resource server itself) and a set of permissions associated with this
resource when you create a new user resource (user is the owner, thus it is
considered a resource instance) any permission defined for the typed
resource will be applied to the user resource.
You can also manage permissions/policies through the Admin REST API,
just like we do in Keycloak admin console.
For User-Managed resources, you can also use the User-Managed Policy
API [3].
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_resources_api
[2]
https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-uma-photoz/photoz-restful-api/src/main/java/org/keycloak/example/photoz/album/AlbumService.java#L101
[3]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_authorization_uma_policy_api
Regards.
Pedro Igor
On Wed, Nov 14, 2018 at 12:00 PM Jeroschewski Sven Erik (INST-CSS/BSV-OS) <
SvenErik.Jeroschewski at bosch-si.com> wrote:
> Hello everyone,
>
> is there an example project or tutorial with UMA 2.0 where the user can
> give his consent regarding shared access using the Rest-API of Keycloak?
>
> We already had a look at the "app-authz-uma-photoz" project from the
> "keycloak-quickstarts" repository. However, the example integrates a
> Keycloak website where the user can manage the requests for her/his
> resources. In our application we would like to have a custom service
> through which the user can manage his/her resources, can get notifications
> for new requests, and can define rules for permissions that are set
> automatically when a new resource is created or a new request is coming in.
>
> For example, we have a use case in which an application creates new
> resources where the user is the resource owner. This resource should be
> accessible by another user by default or the uploading application should
> be able to grant access in the name of the resource owner.
>
> We would be glad for any comments and recommendations on our approach.
>
> Mit freundlichen Grüßen / Best regards
>
> Sven Erik Jeroschewski
>
> Open Source Services - Product Group Customer Success Services
> (INST-CSS/BSV-OS)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com<http://www.bosch-si.com>
> Tel. +49 30 726112-416 | Mobil +49 152 24308225 |
> SvenErik.Jeroschewski at bosch-si.com<mailto:
> SvenErik.Jeroschewski at bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list