[keycloak-user] Listing the UMA resources accessible by a user

Pedro Igor Silva psilva at redhat.com
Thu Mar 7 08:35:30 EST 2019 

Hi,

We have an API that allows you to resources shared to a specific user if
the access was granted based on the standard UMA flow (using permission
tickets). The Keycloak AuthZ Java Client [1] provides access to this API.

[1]
https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b11e8b1a499c6/authz/client/src/main/java/org/keycloak/authorization/client/resource/PermissionResource.java#L197


On Thu, Mar 7, 2019 at 10:21 AM <roxspring at imapmail.org> wrote:

> Hi folks,
>
>
>
> UMA seems to be a great solution to model fine grained permissions and
> allow
> scenarios such as "Alice shares Folder X with Bob".
>
>
>
> Keycloak seems to implement this well with APIs for the resource server to
> ask "Given [User] and [Folder X], can the user do [Scope]?" and provide
> answers for both Alice and Bob based on some policy.
>
>
>
> Where I'm struggling is that our application also needs to provide answer
> "Given [User], which folders can they do [Scope] to?" and I'm not clear how
> best to achieve this with Keycloak.
>
>
>
> A.      Track which folders a user owns or can access and answer the
> question directly in the resource server, but that results in the resource
> server having a rigid model of the authorization rules and loses the
> benefits of Keycloak's flexible policies (or duplicates the policy which
> seems just as bad).
> B.      Have the resource server chose some subset of all folders and ask
> Keycloak to validate each resource, but that becomes very chatty and slow
> when there are 1000s of resources to validate.
> C.      Just ask Keycloak to validate all resources and just return those
> the user can access, but that's also potentially slow with 1000s of
> resources to validate and 100s accessible.
>
> a.      As above but with additional filtering by resource type to trim the
> options.
> b.      As above but with additional filtering by attributes (e.g. where
> property:owner = "Alice")
> c.      As above but with a full blown query language (e.g. "WHERE
> type=Folder AND (property:owner=Alice OR property:sharedwith contains
> Alice)
>
> D.      .?
>
>
>
> I was expecting some variant of C to be the recommended way forward but I
> can't find the relevant APIs (even without filtering). What's the best way
> to model such a (presumably common) scenario?
>
>
>
> Thanks,
>
>
>
> Rob
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list