Reminder - this list has moved
by Stian Thorgersen
The developer mailing list was moved to Google Groups. Please sign-up to
the new list here:
https://groups.google.com/forum/#!forum/keycloak-user/join
Please send new posts to the new mailing list (
keycloak-user(a)googlegroups.com).
To reply to existing threads, please add the new mailing list (add
keycloak-user(a)googlegroups.com) and remove the old (remove
keycloak-user(a)lists.jboss.org).
All messages to keycloak-user(a)lists.jboss.org will be rejected going
forward.
6 years
Reminder - this list has moved
by Stian Thorgersen
The developer mailing list was moved to Google Groups. Please sign-up to
the new list here:
https://groups.google.com/forum/#!forum/keycloak-user/join
Please send new posts to the new mailing list (
keycloak-user(a)googlegroups.com).
To reply to existing threads, please add the new mailing list (add
keycloak-user(a)googlegroups.com) and remove the old (remove
keycloak-user(a)lists.jboss.org).
All messages to keycloak-user(a)lists.jboss.org will be rejected going
forward.
6 years
Re: [keycloak-user] Manage Access to Resources via own App
by David Sautter
Hi Pedro,
thanks for the endpoint URL.
I don’t quite understand what you meant with “the other option”. How can I replace the “shared-with-me” endpoint and the “show Resources shared with others” endpoint by something else?
If I’m correct, that this is not possible, I would argue that those endpoints should be documented ASAP.
Thank you very much!
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
From: Pedro Igor Silva <psilva(a)redhat.com>
Sent: Tuesday, December 10, 2019 8:28 PM
To: Sautter David 1DS5 <David.Sautter(a)rohde-schwarz.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: *EXT* Re: Re: Re: [keycloak-user] Manage Access to Resources via own App
It should be `/{realm}/account/resources`. The API is under development though and I'm not sure if we have documented how to enable it.
AFAIK, you need to start your server with the `keycloak.profile.feature.account_api` feature.
But as we discussed, all the functionality you are looking for can also be achieved through the other option.
On Tue, Dec 10, 2019 at 8:20 AM David Sautter <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>> wrote:
Hello Pedro,
thank you very much, that is indeed helpful.
One thing is still missing in my picture: What is the whole URL path to the Resources Service?
Thanks!
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
From: Pedro Igor Silva <psilva(a)redhat.com<mailto:psilva@redhat.com>>
Sent: Tuesday, December 10, 2019 11:35 AM
To: Sautter David 1DS5 <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>>
Cc: keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: *EXT* Re: Re: [keycloak-user] Manage Access to Resources via own App
On Tue, Dec 10, 2019 at 6:40 AM David Sautter <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>> wrote:
Hi Pedor,
thank you very much for your reply.
I took a look at the endpoints and now wonder what the correct URL of each of those is:
1. show Resources shared with me:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
+1
2. show Resources shared with others (and show with whom it is shared):
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
+1
3. Query Resource with specific attribute set to a specific value (not found)
Not supported. The Account REST API provides some basic filter parameters (e.g.: name) and we have this https://www.keycloak.org/docs/latest/authorization_services/index.html#ge.... None of them provide support for querying based on attributes.
4. Show waiting permission requests:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
+1
5. Grant a new scope-based permission to another user on a specific Resource:
Both should work, but depend on what you want to do ...
is it this? https://www.keycloak.org/docs/latest/authorization_services/index.html#as...
This endpoint allows you to create permissions for user-owned resources without having to go through the whole UMA flow (using a permission ticket). It provides a "share" behavior but using different policies such as roles, group, etc. So that you can share, for instance, the user resource with a group of users, a single user, etc.
Permissions created here are automatically granted (no approval) and can be revoked by the resource owner.
or rather this? https://www.keycloak.org/docs/latest/authorization_services/index.html#cr...
This one allows you to create the UMA permissions just like you were when doing the UMA flow. It is a user-2-user sharing (differently than the other one that allows you to define different policies).
which one is associated to the waiting permission requests from 4.?
The second one. But like I said, permissions created through #1 can be *revoked* anytime by the user too.
6. Revoke a granted permission:
correct? https://www.keycloak.org/docs/latest/authorization_services/index.html#de...
+1
It would be very nice, if you could clarify those points. Thank you very much!
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
From: Pedro Igor Silva <psilva(a)redhat.com<mailto:psilva@redhat.com>>
Sent: Thursday, December 5, 2019 7:11 PM
To: Sautter David 1DS5 <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>>
Cc: keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: *EXT* Re: [keycloak-user] Manage Access to Resources via own App
Hi David,
You can take a look at the work that has been done so far to the new account console, which now relies on an API [1] (documentation is a WIP) to manage resources.
From our doc side, I would suggest you to look here:
* https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
* https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-ph...
[1] https://github.com/keycloak/keycloak/tree/master/services/src/main/java/o...
Regards.
Pedro Igor
On Thu, Dec 5, 2019 at 4:33 AM David Sautter <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>> wrote:
Hello,
I want to build an application, that looks like the “My-Resources” site which Keycloak provides.
It should be possible to share access to different Resources defined on different clients and also list those sharings etc.
I’m trying to find the relevant endpoints I would need to call from my application. Is there a place where I can see the exact requests that the “My-Resources” site is doing (it’s server rendered…)?
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com><mailto:David.Sautter@rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years
Re: [keycloak-user] Evaluating scope-based permissions
by David Sautter
Sure, will do.
Thank you!
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
From: Pedro Igor Silva <psilva(a)redhat.com>
Sent: Tuesday, December 10, 2019 8:48 PM
To: Sautter David 1DS5 <David.Sautter(a)rohde-schwarz.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: *EXT* Re: [keycloak-user] Evaluating scope-based permissions
If you are enforcing access to your app based on scopes you won't be able to perform the action because it is missing.
But I agree, I also think we should just return a DENY for that case. I can't remember now the use case we had in mind for it, but I'm glad to review this and change.
It should be a matter of ignoring resources associated with policies when they are scope-based. Would you mind creating a JIRA (so we can track the reporter)?
Regards.
Pedro Igor
On Tue, Dec 10, 2019 at 2:17 PM David Sautter <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>> wrote:
Hi,
in Authorization Services there is something that feels like a unintuitive thing – or bug – to me:
In Authorization Services, I have a Resource R1, there are three associated scopes S1,S2,S3.
I create a scope based permission + user-based policy to allow a user u1 access to R1 only for S1.
Now I evaluate:
· Can u1 do S1 on R1? -> permit
· Can u1 do S2 on R1? -> permit (WAT?)
I see, that the second case returns permit with no scopes, but I would expect deny.
Is this intended behavior and I would need to filter this again after evaluation?
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com><mailto:David.Sautter@rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years
Evaluating scope-based permissions
by David Sautter
Hi,
in Authorization Services there is something that feels like a unintuitive thing – or bug – to me:
In Authorization Services, I have a Resource R1, there are three associated scopes S1,S2,S3.
I create a scope based permission + user-based policy to allow a user u1 access to R1 only for S1.
Now I evaluate:
· Can u1 do S1 on R1? -> permit
· Can u1 do S2 on R1? -> permit (WAT?)
I see, that the second case returns permit with no scopes, but I would expect deny.
Is this intended behavior and I would need to filter this again after evaluation?
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
6 years
Re: [keycloak-user] Manage Access to Resources via own App
by David Sautter
Hello Pedro,
thank you very much, that is indeed helpful.
One thing is still missing in my picture: What is the whole URL path to the Resources Service?
Thanks!
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
From: Pedro Igor Silva <psilva(a)redhat.com>
Sent: Tuesday, December 10, 2019 11:35 AM
To: Sautter David 1DS5 <David.Sautter(a)rohde-schwarz.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: *EXT* Re: Re: [keycloak-user] Manage Access to Resources via own App
On Tue, Dec 10, 2019 at 6:40 AM David Sautter <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>> wrote:
Hi Pedor,
thank you very much for your reply.
I took a look at the endpoints and now wonder what the correct URL of each of those is:
1. show Resources shared with me:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
+1
2. show Resources shared with others (and show with whom it is shared):
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
+1
3. Query Resource with specific attribute set to a specific value (not found)
Not supported. The Account REST API provides some basic filter parameters (e.g.: name) and we have this https://www.keycloak.org/docs/latest/authorization_services/index.html#ge.... None of them provide support for querying based on attributes.
4. Show waiting permission requests:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
+1
5. Grant a new scope-based permission to another user on a specific Resource:
Both should work, but depend on what you want to do ...
is it this? https://www.keycloak.org/docs/latest/authorization_services/index.html#as...
This endpoint allows you to create permissions for user-owned resources without having to go through the whole UMA flow (using a permission ticket). It provides a "share" behavior but using different policies such as roles, group, etc. So that you can share, for instance, the user resource with a group of users, a single user, etc.
Permissions created here are automatically granted (no approval) and can be revoked by the resource owner.
or rather this? https://www.keycloak.org/docs/latest/authorization_services/index.html#cr...
This one allows you to create the UMA permissions just like you were when doing the UMA flow. It is a user-2-user sharing (differently than the other one that allows you to define different policies).
which one is associated to the waiting permission requests from 4.?
The second one. But like I said, permissions created through #1 can be *revoked* anytime by the user too.
6. Revoke a granted permission:
correct? https://www.keycloak.org/docs/latest/authorization_services/index.html#de...
+1
It would be very nice, if you could clarify those points. Thank you very much!
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
From: Pedro Igor Silva <psilva(a)redhat.com<mailto:psilva@redhat.com>>
Sent: Thursday, December 5, 2019 7:11 PM
To: Sautter David 1DS5 <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>>
Cc: keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: *EXT* Re: [keycloak-user] Manage Access to Resources via own App
Hi David,
You can take a look at the work that has been done so far to the new account console, which now relies on an API [1] (documentation is a WIP) to manage resources.
From our doc side, I would suggest you to look here:
* https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
* https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-ph...
[1] https://github.com/keycloak/keycloak/tree/master/services/src/main/java/o...
Regards.
Pedro Igor
On Thu, Dec 5, 2019 at 4:33 AM David Sautter <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>> wrote:
Hello,
I want to build an application, that looks like the “My-Resources” site which Keycloak provides.
It should be possible to share access to different Resources defined on different clients and also list those sharings etc.
I’m trying to find the relevant endpoints I would need to call from my application. Is there a place where I can see the exact requests that the “My-Resources” site is doing (it’s server rendered…)?
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com><mailto:David.Sautter@rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years
chrome , basic http auth popup
by lists
Hi!
We use keycloak for OIDC auth on a wordpress site, using this plugin:
https://www.daggerhart.com/openid-connect-generic/
Lately (perhaps since 8.0.1?) when using chrome, we are getting a http
basic auth popup, where users are requested to authenticate using their
username/password. The seems to originate from keycloak, but it does not
work, and only after cancelling it, the regular keycloak logon page
loads, and we can authenticate.
Anyone with an idea where to disable these basic http auth popups?
Why does this come up? Where is that decided..? In Keycloak..? Is there
a toggle somewhere?
Thanks!
6 years
Keycloak policy-enforcer, very strange and dangerous behaviour - scope based policy
by Matteo Restelli
Hi guys,
We're experiencing a strange behaviour during our tests on our
authorization policies.
I've defined a resource in the policy adapter as the following:
{
"name": "test",
"path": "/test/{id}/test",
"methods": [
{
"method": "GET",
"scopes": [
"list_test_scope"
]
}
],
"claim-information-point": {
"claims": {
"organization": "{request.relativePath}"
}
}
Then, in Keycloak, i've defined:
- the scope list_test_scope
- a role based policy
- a resource named "test" with the uri /test/{id}/test
- a permission associating the resource, the scope and the policy
Everything works fine when i make a GET request to the endpoint: if the
user has the role, he can access the endpoint, otherwise he receives a 403.
But, if i make another request to the same endpoint with a different HTTP
method, like a POST, nothing blocks me: i can reach the endpoint and i
receive a 405 - Method not allowed (this due to the fact that i've not
defined the operation on the endpoint). Why i'm not receiving a 403 error
in this case? Shouldn't the user be blocked by the fact that this method is
not mapped / the user has not the scope?
I've already read the following post:
https://lists.jboss.org/pipermail/keycloak-user/2019-February/017174.html
But removing the resource from the permission doesn't work. Still i'm
experiencing the same behaviour (i don't know if something related to the
cache is not working well).
Can you help us please?
--
Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.
6 years
