Re: [keycloak-user] Authorization Services and UMA 2.0 changes

Hi All, We are about to finish the initial round of changes to make Keycloak Authorization Services compliant with UMA 2.0. One of the main changes is related with a new OAuth2 Grant Type introduced by UMA 2.0 [1] and how it will be used as a replacement for both Entitlement and Authorization API. In UMA 2.0, there is no Authorization API anymore, thus it will be removed on future versions of Keycloak. Regarding Entitlement API, it will also be removed in favor of the new grant type, but in this case we are using some extensions to UMA grant type to provide the same functionality. One of the objectives of this change in particular is to have a single endpoint from where permissions can be obtained. Another important change is also related with UMA where end-users should be able now to manage their own resource and permissions via Account Management Console. Users would be able to access a "Resource" page from where they can: * See the resources they own * Check for pending permission requests (waiting for the owners approval). As well options to grant/deny the request. * Check for all "shared resources" / granted permissions. As well options to revoke permissions * Select an user they want to grant access to a resource and/or scope Other changes are related with the Policy Enforcer, Authorization Client Java API and configuration. For these areas in particular changes are minimal, specially regarding policy enforcer configuration. These changes are targeted to Keycloak v4 and we'll be updating docs accordingly, specially on how to migrate to the new version. Regards. Pedro Igor [1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-09.html _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user