[keycloak-user] [UMA] Submitting Permission Request

sesnor.silva at sapo.pt sesnor.silva at sapo.pt
Tue Nov 26 10:37:45 EST 2019 

Hi Pedro,

Thank you for your reply.

Sadly I'm still having trouble understanding how this "ticket" is  
generated. Is this something that you have to generate on the  
backend/resource server manually? I.E. Do I generate this ticket every  
time there's a HTTP 401 error? If so, what are the rules for  
generating it? How will keycloak know that is ticket is legitimate how  
does it know which resource it's pointing to?

Thank you and best regards,
Silva
 

Citando Pedro Igor Silva <psilva at redhat.com>:

> Hi,
>
> From a frontend perspective, you get a PT after trying to access a  
> UMA protected resource for the first time (when lacking the required  
> permissions). You should be able to obtain it through the  
> WWW-Authenticate header as described  
> here https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_uma_authorization_process.
>
> But you should also be able to obtain permissions for a resource  
> owner by just invoking the token endpoint directly as described  
> here https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions, as long as the access token you pass (as a bearer, for instance) is representing the owner as the  
> subject.
>    On Fri, Nov 15, 2019 at 4:33 PM <sesnor.silva at sapo.pt> wrote:
>
>> Hello,
>>
>> I'm trying to implement a frontend interface for requesting 
>> permissions to resource owners, however I'm having trouble 
>> understanding what a "permission_ticket" is.
>>
>> According to the documentation 
>> (https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_aat), a permission request requires a "ticket=${permission_ticket}" parameter. How do I obtain this ticket? Can I build  
>> it 
>> myself?
>>
>> The previous section states: "The resource server sends a response 
>> back to the client with a permission ticket and a as_uri parameter 
>> with the location of a Keycloak server to where the ticket should be 
>> sent in order to obtain an RPT."  But I'm not sure how I make my 
>> API/Resource Server do this.
>>
>> Can I request access to a resource owner through any another method?
>>
>> Thank you,
>> Silva
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>  

 

More information about the keycloak-user mailing list