[keycloak-user] UMA Share Resource with a User via AuthZ Client

Pedro Igor Silva psilva at redhat.com
Fri Jan 11 06:52:42 EST 2019 

Hi,

Glad you got it working. I should probably update docs with that too, but
when doing UMA and requesting access to resources where the owner is not
the user you need to pass the resource ID. The reason is that resources can
have the same name if they belong to different owners, so you need to
explicitly inform the resource you want to access. If the owner is the
identity making the request, you can use names ....

On Fri, Jan 11, 2019 at 9:00 AM Christian Sandmeier <
Christian.Sandmeier at vivai.de> wrote:

> Hi all,
>
> as soon as i add concrete Resources to the AuthorizationRequest it works.
>
> So in Step 3 i added
>
> AuthorizationRequest request = new AuthorizationRequest();
> request.addPermission(„resource id x“)
> request.addPermission(„resource id y“)
>
> Then the Permission for these Resources are shown in the RPT.
>
> Best regards,
>
> Christian
>
> Am 08.01.2019 um 17:57 schrieb Christian Sandmeier <
> Christian.Sandmeier at vivai.de<mailto:Christian.Sandmeier at vivai.de>>:
>
> Hi All,
>
> first of all Thanks for the great work. I have been using Keycloak in a
> Project for a couple of Months now and really like it.
>
> I started to try out the UMA 2.0 Flow because it would be very nice to be
> able to share a resource with other Users.
>
> Given the following 4 Steps, i don't understand why the Permissions are
> not in the RPT token
>
> // Code for Steps 1 and 2 taken from here
> //
> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java
> // Code for Steps 3 and 4 taken from here
> //
> https://www.keycloak.org/docs/latest/authorization_services/index.html#obtaining-user-entitlements
>
>
> 1) Creating a Resource "Resource A" with Owner "demo"
>
> ResourceRepresentation resource = new ResourceRepresentation();
> resource.setName("Resource A");
> resource.setOwnerManagedAccess(true);
> resource.setOwner("demo");
> resource.addScope("Scope A");
>
> resource = getAuthzClient().protection().resource().create(resource);
>
>
> 2) Creating the User Permission for User "test"
> UmaPermissionRepresentation newPermission = new
> UmaPermissionRepresentation();
>
> newPermission.setName("User-Managed Permission");
> newPermission.setDescription("User is allowed to access");
> newPermission.addScope("Scope A");
> newPermission.addUser("test");
>
> ProtectionResource protection = getAuthzClient().protection("demo",
> "demo");
> UmaPermissionRepresentation permission =
> protection.policy(resource.getId()).create(newPermission);
>
>
> 3) get a RPT for the User "test" for all Resources
>
> AuthzClient authzClient = AuthzClient.create();
> AuthorizationRequest request = new AuthorizationRequest();
> AuthorizationResponse response = authzClient.authorization("test",
> "test").authorize(request);
> String rpt = response.getToken();
>
>
> 4) Listing the Permissions
> TokenIntrospectionResponse requestingPartyToken =
> authzClient.protection().introspectRequestingPartyToken(rpt);
> System.out.println("Token status is: " + requestingPartyToken.getActive());
> System.out.println("Permissions granted by the server: ");
>
> for (Permission granted : requestingPartyToken.getPermissions()) {
>   System.out.println(granted);
> }
>
>
> The Resource and Permission are saved correctly, i can correctly read them
> via the AuthZ Client
> but now i would assume that the Permission is in the RPT of the User
> "test".
>
> Is this Assumption maybe already incorrect and i got a bit lost? Or is
> there probably a
> problem in my Code because the Permission should be listed there?
> Btw. if i skip Step 2) and instead share the the Resource with the User in
> the "Keycloak -> My Account-> My Resources" Page, it works. But not
> with the UmaPermissionRepresentation.
>
> Thank you in Advance
>
> Best regards,
>
> Christian Sandmeier
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list