Hi,
On 11 May 2018 at 18:04, Pedro Igor Silva <psilva(a)redhat.com> wrote:
On Fri, May 11, 2018 at 10:19 AM, Federico Michele Facca <
federico.facca(a)martel-innovate.com> wrote:
>
> Now the first question was how to “share” directly a resource with a user.
>
> Currently using the API, supposing I am user A and I want to access a
> resource Z from user B, we proceed as follow (i hope is the correct way…
> any correction or guidance will be appreciated):
>
> 1. We create a permission request on the API (to get the ticket). E.g.
> read resource x
>
> 2. We use the ticket to ask for a rtp token using a user token.
>
> curl --request POST \
> --url
http://127.0.0.1:8080/auth/realms/master/protocol/openid-con
> nect/token \
> --header 'Authorization: Bearer xxx' \
> --header 'Content-Type: application/x-www-form-urlencoded' \
> --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-
> ticket&ticket=xxxx'
>
> If the user has already access, then he gets the rtp, if not he gets:
>
> {
> "error": "access_denied",
> "error_description": "request_submitted"
> }
>
> Only in this moment the permission ticket i created at step 1 appears in
> the list of permissions. (I am not sure this is the intended behaviour
> though).
>
Yeah, that is the expected behavior. But you can also use a request
parameter to tell to the token endpoint that you don't want to submit an
authorization request. See
https://www.keycloak.org/
docs/latest/authorization_services/index.html#_service_authorization_aat.
>
> Then is up to the owner to authorise access (via API we can do that by
> updating the permission and set granted to true)
>
> Now let’s suppose that I am the owner of the resource A, and I want to
> authorise directly (without the user asking access to the resource A)
> the user Z to access it. How can I do that? At the time being I could not
> figure it out.
>
Similar to the update method, you can use the create method to create
permissions. Is that what you are looking for ? See org.keycloak.testsuite.
authz.PermissionManagementTest#testCreatePermissionTicketWithResourceName.
from what i see in the code, permission are persisted only when we invoking
the token api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
so in my understanding there is now way (assuming I am the owner of the
resource) to store directly the permission (with grant=true), which would
what
could be the way a user could share directly his resources as it is now
possible in the interface.
am I wrong?
i am lost... i see that in the code you refer to i see that you invoke
the token
api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket you are
setting
the claim using the accessToken, but i don't see what this has to do with
the ability of a resource owner to grant directly the access to a resource
(i.e. creating a permission with grant = true)
--
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <
https://www.martel-innovate.com/> - Professional
support for innovation projects
Click to download our innovators' insights!
<
https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <
https://twitter.com/Martel_Innovate>