[keycloak-user] Listing the UMA resources accessible by a user

[roxspring at imapmail.org]

Thanks Pedro – that gives me something to try out!

 

(Turns out I was using an old client and didn’t have that API available… time for some upgrades!)

 

From: Pedro Igor Silva <psilva at redhat.com> 
Sent: 07 March 2019 13:36
To: roxspring at imapmail.org
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Listing the UMA resources accessible by a user

 

Hi,

 

We have an API that allows you to resources shared to a specific user if the access was granted based on the standard UMA flow (using permission tickets). The Keycloak AuthZ Java Client [1] provides access to this API.

 

[1] https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b11e8b1a499c6/authz/client/src/main/java/org/keycloak/authorization/client/resource/PermissionResource.java#L197 

 

On Thu, Mar 7, 2019 at 10:21 AM <roxspring at imapmail.org <mailto:roxspring at imapmail.org> > wrote:

Hi folks,



UMA seems to be a great solution to model fine grained permissions and allow
scenarios such as "Alice shares Folder X with Bob".



Keycloak seems to implement this well with APIs for the resource server to
ask "Given [User] and [Folder X], can the user do [Scope]?" and provide
answers for both Alice and Bob based on some policy.



Where I'm struggling is that our application also needs to provide answer
"Given [User], which folders can they do [Scope] to?" and I'm not clear how
best to achieve this with Keycloak.



A.      Track which folders a user owns or can access and answer the
question directly in the resource server, but that results in the resource
server having a rigid model of the authorization rules and loses the
benefits of Keycloak's flexible policies (or duplicates the policy which
seems just as bad).
B.      Have the resource server chose some subset of all folders and ask
Keycloak to validate each resource, but that becomes very chatty and slow
when there are 1000s of resources to validate.
C.      Just ask Keycloak to validate all resources and just return those
the user can access, but that's also potentially slow with 1000s of
resources to validate and 100s accessible.

a.      As above but with additional filtering by resource type to trim the
options.
b.      As above but with additional filtering by attributes (e.g. where
property:owner = "Alice")
c.      As above but with a full blown query language (e.g. "WHERE
type=Folder AND (property:owner=Alice OR property:sharedwith contains Alice)

D.      .?



I was expecting some variant of C to be the recommended way forward but I
can't find the relevant APIs (even without filtering). What's the best way
to model such a (presumably common) scenario?



Thanks,



Rob

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user