Re: [keycloak-dev] How to share a resource with a user via UMA 2.0 API

Hi Pedro, Thanks a lot for your quick reply. I have been looking at the methods, and actually learned from the exact example you refer to. Maybe my examples were not clear enough. For question 2: Suppose that user "test" owns resource A and he want to see (like in the my account interface) a table with all the active and pending permissions including the identifier of the user that made the request. Shared resources-> Resource A user B scope read, write Pending requests-> Resource A user C scope read With the following query: curl --request GET \ --url 'http://127.0.0.1:8080/auth/realms/master/authz/protection/permission?returnNames=true&owner=test' \ --header 'authorization: Bearer xxx' I get a list of the permissions (where granted = true are the authorised ones and granted = false the pending ones): [ { "id": "08dccaed-6dbb-47aa-a87c-55b35a6f2523", "owner": "567c20ad-7d42-4908-bb53-af26c64534e7", "resource": "218091a8-e5fc-460c-a306-a3a76775c784", "scope": "65e40351-bce4-4e3f-825d-7bca9d78d12e", "granted": true, "scopeName": "read", "resourceName": "8910" }, { "id": “xxxx", "owner": "567c20ad-7d42-4908-bb53-af26c64534e7", "resource": "218091a8-e5fc-460c-a306-a3a76775c784", "scope": "65e40351-bce4-4e3f-825d-7bca9d78d12e", "granted": false, "scopeName": "read", "resourceName": "8910" } ] so the result does not allow me to know who was the “requester” (which I don’t know apriori since the query is about all potential requesters) so my idea was that when you use returnNames=true parameter you could add as well the requester, e.g.: { "id": "08dccaed-6dbb-47aa-a87c-55b35a6f2523", "owner": "567c20ad-7d42-4908-bb53-af26c64534e7", "resource": "218091a8-e5fc-460c-a306-a3a76775c784", "scope": "65e40351-bce4-4e3f-825d-7bca9d78d12e", "granted": true, "scopeName": "read", "resourceName": “8910”, “requester”:”xxxxx”, “requesterName”:”test” }, We realised that by trying to create resources and seeing that using user authentication you get 500 error while using client authentication it works (even though UMA specs is not limiting the access to that). We found out by testing also that the permission endpoint works also with user access tokens. Now the first question was how to “share” directly a resource with a user. Currently using the API, supposing I am user A and I want to access a resource Z from user B, we proceed as follow (i hope is the correct way… any correction or guidance will be appreciated): 1. We create a permission request on the API (to get the ticket). E.g. read resource x 2. We use the ticket to ask for a rtp token using a user token. curl --request POST \ --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token \ --header 'Authorization: Bearer xxx' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&ticket=xxxx' If the user has already access, then he gets the rtp, if not he gets: { "error": "access_denied", "error_description": "request_submitted" } Only in this moment the permission ticket i created at step 1 appears in the list of permissions. (I am not sure this is the intended behaviour though). Then is up to the owner to authorise access (via API we can do that by updating the permission and set granted to true) Now let’s suppose that I am the owner of the resource A, and I want to authorise directly (without the user asking access to the resource A) the user Z to access it. How can I do that? At the time being I could not figure it out. Also, out of curiosity is there are a way i can list all resources i can access thanks either to UMA permission or policies? That would be very handful. Suppose that you have an API that with GET /resources list you all the resources, there should be a way to filter the returned resources only based on the one you can access. This could be done easily if you could get a list of the resources you can access. Otherwise, you would need for each resource returned in the list to generate a query asking if the user x can access the specific resource. Not very scalable. Thanks! Federico Dr. FEDERICO MICHELE FACCA Head of Martel Lab 0041 78 807 58 38 Martel Innovate <https://www.martel-innovate.com/> - Professional support for innovation projects Click to download our innovators' insights! <https://www.martel-innovate.com/premium-content/> Follow Us on Twitter <https://twitter.com/Martel_Innovate>