<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    Pedro is working on that...He has some stuff.  Hope he responds. 

    Not going to be part of Keycloak until 2.0 though.  And yes, its

    around UMA.<br>

    <br>

    <div class="moz-cite-prefix">On 2/3/2016 1:47 PM, Guy Davis wrote:<br>

    </div>

    <blockquote

cite="mid:CAAgmn1oH+BpafB+YL9b=rEz3CeGxp9DLOOJf9_zVJB36F38SZg@mail.gmail.com"

      type="cite">

      <div dir="ltr"><span style="font-size:12.8px">Hi Lars,</span>

        <div style="font-size:12.8px"><br>

        </div>

        <div style="font-size:12.8px">Good question.  My organization is

          also asking similar questions about adopting Keycloak.  Let me

          give my understanding as a user, then Keycloak team can

          correct my misunderstandings.</div>

        <div style="font-size:12.8px"><br>

        </div>

        <div style="font-size:12.8px">Basically, Keycloak offers

          coarse-grained authorizations (<a moz-do-not-send="true"

href="http://keycloak.github.io/docs/userguide/keycloak-server/html/per-realm-admin-permissions.html"

            target="_blank">realm-roles</a> and client-app <a

            moz-do-not-send="true"

href="http://keycloak.github.io/docs/userguide/keycloak-server/html/roles.html"

            target="_blank">roles</a>) assigned to users (or <a

            moz-do-not-send="true"

href="http://keycloak.github.io/docs/userguide/keycloak-server/html/groups.html"

            target="_blank">groups</a>).   So I understand Keycloak will

          let you grant user Bob the 'myapp-admin' role.  However, it

          falls to the backend service or application to then map that

          role to application-specific permissions.  For example, role

          'myapp-admins' can access /myapp/project1/admin page.  This

          resource security can be done (for Java apps) in declarative

          fashion using web.xml security constraints.  Alternatively,

          your application code could dynamically obtain the Keycloak

          user principal, check their roles, and map into your app's

          permission scheme.  </div>

        <div style="font-size:12.8px"><br>

        </div>

        <div style="font-size:12.8px">This understanding implies that

          your application is responsible for an admin UI to map

          fine-grained permissions on your app's resources to Keycloak

          roles.   If your app only has 'coarse-grained" resources, then

          you can probably just use Keycloak roles, with no need for a

          permission layer or the UI it entails.</div>

        <div style="font-size:12.8px"><br>

        </div>

        <div style="font-size:12.8px">Also, see this pre-amble about <a

            moz-do-not-send="true"

href="http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e65"

            target="_blank">Permission Scopes</a>. In future, it sounds

          like Keycloak team is considering support for the <a

            moz-do-not-send="true"

            href="https://docs.kantarainitiative.org/uma/draft-uma-core.html"

            target="_blank">UMA portion of the OAuth standard</a>.  This

          may help with fine-grained permission management within

          Keycloak itself?</div>

        <div style="font-size:12.8px"><br>

        </div>

        <div style="font-size:12.8px">Hope this helps,</div>

        <div style="font-size:12.8px">Guy</div>

        <div style="font-size:12.8px"><br>

        </div>

        <div style="font-size:12.8px">&lt;sorry, original response was

          only to Lars, now to list as well&gt;</div>

      </div>

      <div class="gmail_extra"><br>

        <div class="gmail_quote">On Tue, Feb 2, 2016 at 8:29 PM, Lars

          Noldan <span dir="ltr">&lt;<a moz-do-not-send="true"

              href="mailto:lars.noldan@drillinginfo.com" target="_blank">lars.noldan@drillinginfo.com</a>&gt;</span>

          wrote:<br>

          <blockquote class="gmail_quote" style="margin:0 0 0

            .8ex;border-left:1px #ccc solid;padding-left:1ex">

            <div dir="ltr">We're in the investigation stage on moving

              from a $BigExpensiveVendor solution toward keycloak, and

              we're looking for a solution to help manage both Course

              and Fine grained entitlements.  Keycloak appears to be a

              fantastic authentication solution, but I'm wondering what

              are you, the keycloak community using to handle

              Authorization?

              <div><br>

              </div>

              <div>Thanks!</div>

            </div>

            <br>

            _______________________________________________<br>

            keycloak-user mailing list<br>

            <a moz-do-not-send="true"

              href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>

            <a moz-do-not-send="true"

              href="https://lists.jboss.org/mailman/listinfo/keycloak-user"

              rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>

          </blockquote>

        </div>

        <br>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

keycloak-user mailing list

<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>

<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>

    </blockquote>

    <br>

    <pre class="moz-signature" cols="72">-- 

Bill Burke

JBoss, a division of Red Hat

<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>

  </body>

</html>