[keycloak-user] [UMA] Submitting Permission Request
Pedro Igor Silva
psilva at redhat.com
Tue Nov 26 14:08:03 EST 2019
On Tue, Nov 26, 2019 at 12:37 PM <sesnor.silva at sapo.pt> wrote:
> Hi Pedro,
>
> Thank you for your reply.
>
> Sadly I'm still having trouble understanding how this "ticket" is
> generated. Is this something that you have to generate on the
> backend/resource server manually? I.E. Do I generate this ticket every time
> there's a HTTP 401 error? If so, what are the rules for generating it? How
> will keycloak know that is ticket is legitimate how does it know which
> resource it's pointing to?
>
Yes, the ticket is created based on an API call from your application
(resource server) to the Protection API (see
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_permission_api_papi
).
Every time a request is lacking permissions, your application make this
call to generate a ticket referencing the resource/scopes being requested.
The ticket has a very short lifetime, audience and is signed. That is
basically what we use when validating it.
>
> Thank you and best regards,
> Silva
>
>
> Citando Pedro Igor Silva <psilva at redhat.com>:
>
> Hi,
> From a frontend perspective, you get a PT after trying to access a UMA
> protected resource for the first time (when lacking the required
> permissions). You should be able to obtain it through the WWW-Authenticate
> header as described here
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_uma_authorization_process
> .
> But you should also be able to obtain permissions for a resource owner by
> just invoking the token endpoint directly as described here
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions,
> as long as the access token you pass (as a bearer, for instance) is
> representing the owner as the subject.
>
> On Fri, Nov 15, 2019 at 4:33 PM <sesnor.silva at sapo.pt> wrote:
>
>> Hello,
>>
>> I'm trying to implement a frontend interface for requesting
>> permissions to resource owners, however I'm having trouble
>> understanding what a "permission_ticket" is.
>>
>> According to the documentation
>> (
>> https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_aat),
>> a permission request requires a "ticket=${permission_ticket}" parameter.
>> How do I obtain this ticket? Can I build it
>> myself?
>>
>> The previous section states: "The resource server sends a response
>> back to the client with a permission ticket and a as_uri parameter
>> with the location of a Keycloak server to where the ticket should be
>> sent in order to obtain an RPT." But I'm not sure how I make my
>> API/Resource Server do this.
>>
>> Can I request access to a resource owner through any another method?
>>
>> Thank you,
>> Silva
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>
>
More information about the keycloak-user
mailing list