<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Courier New, courier, monaco, monospace, sans-serif;font-size:13px"><div id="yui_3_16_0_1_1455330097445_5134"><span id="yui_3_16_0_1_1455330097445_5396">Even our organization is looking for UMA modules (there are already a few vendors who offer some version of UMA) and a couple of months back I tried out something that Pedro put together which works with an old version of Keycloak. While I didn't explore the features in detail, I found that to be very nicely integrated with keycloak and definitely in the right direction. If anyone wants to look at it, here is the link. Please make sure you follow all the build instructions (see </span><a href="https://github.com/pedroigor/keycloak-authz/issues/31" id="yui_3_16_0_1_1455330097445_5479" style="background-color: rgb(255, 255, 255);">https://github.com/pedroigor/keycloak-authz/issues/31</a> also)</div><div id="yui_3_16_0_1_1455330097445_5134" dir="ltr"><br></div><div class="qtdSeparateBR" id="yui_3_16_0_1_1455330097445_5136" dir="ltr"><br></div><div class="qtdSeparateBR" id="yui_3_16_0_1_1455330097445_5136" dir="ltr"><a href="https://github.com/pedroigor/keycloak-authz" id="yui_3_16_0_1_1455330097445_5559">https://github.com/pedroigor/keycloak-authz</a></div><div class="qtdSeparateBR" id="yui_3_16_0_1_1455330097445_5136" dir="ltr"><br></div><div class="qtdSeparateBR" id="yui_3_16_0_1_1455330097445_5136" dir="ltr">Raghu<br></div><div class="yahoo_quoted" id="yui_3_16_0_1_1455330097445_5171" style="display: block;"> <div style="font-family: Courier New, courier, monaco, monospace, sans-serif; font-size: 13px;" id="yui_3_16_0_1_1455330097445_5170"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1455330097445_5169"> <div dir="ltr" id="yui_3_16_0_1_1455330097445_5168"> <font size="2" face="Arial" id="yui_3_16_0_1_1455330097445_5167"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Bill Burke <bburke@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> keycloak-user@lists.jboss.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, February 3, 2016 2:03 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [keycloak-user] Course and Fine Grained Entitlements<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1455330097445_5172"><br><div id="yiv4189989917"><div id="yui_3_16_0_1_1455330097445_5173">
Pedro is working on that...He has some stuff. Hope he responds.
Not going to be part of Keycloak until 2.0 though. And yes, its
around UMA.<br clear="none">
<br clear="none">
<div class="yiv4189989917yqt0677440522" id="yiv4189989917yqtfd82859"><div class="yiv4189989917moz-cite-prefix" id="yui_3_16_0_1_1455330097445_5174">On 2/3/2016 1:47 PM, Guy Davis wrote:<br clear="none">
</div>
</div><blockquote type="cite" id="yui_3_16_0_1_1455330097445_5176"><div class="yiv4189989917yqt0677440522" id="yiv4189989917yqtfd43112">
<div dir="ltr" id="yui_3_16_0_1_1455330097445_5175"><span style="font-size:12.8px;">Hi Lars,</span>
<div style="font-size:12.8px;" id="yui_3_16_0_1_1455330097445_5177"><br clear="none">
</div>
<div style="font-size:12.8px;" id="yui_3_16_0_1_1455330097445_5178">Good question. My organization is
also asking similar questions about adopting Keycloak. Let me
give my understanding as a user, then Keycloak team can
correct my misunderstandings.</div>
<div style="font-size:12.8px;" id="yui_3_16_0_1_1455330097445_5179"><br clear="none">
</div>
<div style="font-size:12.8px;" id="yui_3_16_0_1_1455330097445_5180">Basically, Keycloak offers
coarse-grained authorizations (<a rel="nofollow" shape="rect" target="_blank" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/per-realm-admin-permissions.html">realm-roles</a> and client-app <a rel="nofollow" shape="rect" target="_blank" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/roles.html">roles</a>) assigned to users (or <a rel="nofollow" shape="rect" target="_blank" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/groups.html" id="yui_3_16_0_1_1455330097445_5196">groups</a>). So I understand Keycloak will
let you grant user Bob the 'myapp-admin' role. However, it
falls to the backend service or application to then map that
role to application-specific permissions. For example, role
'myapp-admins' can access /myapp/project1/admin page. This
resource security can be done (for Java apps) in declarative
fashion using web.xml security constraints. Alternatively,
your application code could dynamically obtain the Keycloak
user principal, check their roles, and map into your app's
permission scheme. </div>
<div style="font-size:12.8px;"><br clear="none">
</div>
<div style="font-size:12.8px;">This understanding implies that
your application is responsible for an admin UI to map
fine-grained permissions on your app's resources to Keycloak
roles. If your app only has 'coarse-grained" resources, then
you can probably just use Keycloak roles, with no need for a
permission layer or the UI it entails.</div>
<div style="font-size:12.8px;"><br clear="none">
</div>
<div style="font-size:12.8px;">Also, see this pre-amble about <a rel="nofollow" shape="rect" target="_blank" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e65">Permission Scopes</a>. In future, it sounds
like Keycloak team is considering support for the <a rel="nofollow" shape="rect" target="_blank" href="https://docs.kantarainitiative.org/uma/draft-uma-core.html">UMA portion of the OAuth standard</a>. This
may help with fine-grained permission management within
Keycloak itself?</div>
<div style="font-size:12.8px;"><br clear="none">
</div>
<div style="font-size:12.8px;">Hope this helps,</div>
<div style="font-size:12.8px;" id="yui_3_16_0_1_1455330097445_5230">Guy</div>
<div style="font-size:12.8px;" id="yui_3_16_0_1_1455330097445_5229"><br clear="none">
</div>
<div style="font-size:12.8px;" id="yui_3_16_0_1_1455330097445_5228"><sorry, original response was
only to Lars, now to list as well></div>
</div>
<div class="yiv4189989917gmail_extra" id="yui_3_16_0_1_1455330097445_5227"><br clear="none">
<div class="yiv4189989917gmail_quote">On Tue, Feb 2, 2016 at 8:29 PM, Lars
Noldan <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:lars.noldan@drillinginfo.com" target="_blank" href="mailto:lars.noldan@drillinginfo.com">lars.noldan@drillinginfo.com</a>></span>
wrote:<br clear="none">
<blockquote class="yiv4189989917gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div dir="ltr">We're in the investigation stage on moving
from a $BigExpensiveVendor solution toward keycloak, and
we're looking for a solution to help manage both Course
and Fine grained entitlements. Keycloak appears to be a
fantastic authentication solution, but I'm wondering what
are you, the keycloak community using to handle
Authorization?
<div><br clear="none">
</div>
<div>Thanks!</div>
</div>
<br clear="none">
_______________________________________________<br clear="none">
keycloak-user mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" target="_blank" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">
</blockquote>
</div>
<br clear="none">
</div>
<br clear="none">
<fieldset class="yiv4189989917mimeAttachmentHeader"></fieldset>
<br clear="none">
<pre>_______________________________________________
keycloak-user mailing list
<a rel="nofollow" shape="rect" class="yiv4189989917moz-txt-link-abbreviated" ymailto="mailto:keycloak-user@lists.jboss.org" target="_blank" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a rel="nofollow" shape="rect" class="yiv4189989917moz-txt-link-freetext" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre></div>
</blockquote>
<br clear="none">
<pre class="yiv4189989917moz-signature">--
Bill Burke
JBoss, a division of Red Hat
<a rel="nofollow" shape="rect" class="yiv4189989917moz-txt-link-freetext" target="_blank" href="http://bill.burkecentral.com/">http://bill.burkecentral.com</a></pre><div class="yiv4189989917yqt0677440522" id="yiv4189989917yqtfd20809">
</div></div></div><br><div class="yqt0677440522" id="yqtfd52490">_______________________________________________<br clear="none">keycloak-user mailing list<br clear="none"><a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none"><a shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div><br><br></div> </div> </div> </div></div></body></html>