[keycloak-user] R: Keycloak Share a resource with other User

Nicola Messina nikmess at hotmail.it
Wed Sep 18 03:30:02 EDT 2019 

I don't think that token is from Alice, the keycloak_helper class is

public class keycloak_helper {

    public static PermissionResource getUserPermissionResource(HttpServletRequest request)
    {
        return getAuthzClient(request).protection().permission();
    }

    public static AuthzClient getAuthzClient(HttpServletRequest request) {
        return getAuthorizationContext(request).getClient();
    }

    private static ClientAuthorizationContext getAuthorizationContext(HttpServletRequest request) {
        return ClientAuthorizationContext.class.cast(getKeycloakSecurityContext(request).getAuthorizationContext());
    }

    public static KeycloakSecurityContext getKeycloakSecurityContext(HttpServletRequest request) {
        return KeycloakSecurityContext.class.cast(request.getAttribute(KeycloakSecurityContext.class.getName()));
    }
}

the code is taken from photoz-uma example, at this point I don't know how to take this token, can you tell me how to get the token?
I can retrieve the Alice token from the request parameter?
is this information present in the documentation?

If you can explain this point for a moment, you would give me a great help.
Thanks, Nicola


________________________________
Da: Pedro Igor Silva <psilva at redhat.com>
Inviato: martedì 17 settembre 2019 14:14
A: Nicola Messina <nikmess at hotmail.it>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Oggetto: Re: [keycloak-user] Keycloak Share a resource with other User

The AuthzClient should be using a token issued on behalf of alice when invoking the API for creating a ticket. Is that what is happening when you obtain the client and invoke the endpoint ?

On Tue, Sep 17, 2019 at 5:40 AM Nicola Messina <nikmess at hotmail.it<mailto:nikmess at hotmail.it>> wrote:
Hi Pedro,
tanks for the answer, sorry, but i dont understand how, my code is :

     String resourceId="3707be30-6e85-4d48-92c9-afaf0750eaec";
     String DestinatarioId="4308881b-5754-44e4-a8c6-dbd13bbbc4a6";
     String scopeId="3497b93d-ae42-42ee-b825-f1da667902b4";

     String Soggetto = keycloak_helper.getKeycloakSecurityContext(request).getToken().getSubject();

     PermissionTicketRepresentation ticket = new PermissionTicketRepresentation();

     ticket.setOwner(Soggetto);
     ticket.setOwnerName("alice");

     ticket.setResource(resourceId);
     ticket.setResourceName("Foto-Vacci");

     ticket.setRequester(DestinatarioId);
     ticket.setRequesterName("bob");

     ticket.setScope(scopeId);
     ticket.setScopeName("foto:view");

     ticket.setGranted(true);

     keycloak_helper.getAuthzClient(request).protection().permission().create(ticket);

The request is made from the owner of the resource "alice" and this request is made from the Java backend, like the photoz example.
Can you help me understand what is wrong?

King Regards

________________________________
Da: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Inviato: lunedì 16 settembre 2019 23:14
A: Nicola <nikmess at hotmail.it<mailto:nikmess at hotmail.it>>
Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Oggetto: Re: [keycloak-user] Keycloak Share a resource with other User

Hi,

Basically, only the owner can create tickets for his/her resources. You need to access the API using a bearer token where the owner of the resource is the subject.

Regards.
Pedro Igor

On Mon, Sep 16, 2019 at 3:21 PM Nicola <nikmess at hotmail.it<mailto:nikmess at hotmail.it>> wrote:
Hi, i'm new to keycloak, i'm watching the *photoz uma example*, in this
example a user can *create *a resource and then *share *with other user, i'm
interested to this feature.

Checking in the JavaDOC i've found that from a PermissionResource i can
create a *PermissionTicketRepresentation*, where i can set the resource, the
scope, the owner and the requester of the resource, i've tried this, but i
get

/{"error":"not_authorised","error_description":"permissions for
[3707be30-6e85-4d48-92c9-afaf0750eaec] can be only created by the owner"}/

so, how can i do this via code?
kind regards




--
Sent from: http://keycloak-user.88327.x6.nabble.com/
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list