10:21 a.m.
That's great, I was able to "share" a resource in my account console.
As a keycloak admin, where to see all the sharings performed by users?
Also, how to take into account this sharing in permission evaluation?
Should I write specific policies to take into resource sharing?
For instance, I have a javascript policy to authorize the resource owner to
access his resource.
Should I write a "is shared with you" policy?
On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Think we are missing this in docs :)
You need to enable "User-Managed Access" in Realm Settings (General tab).
On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont <
corentin.dupont(a)gmail.com> wrote:
> OK, interesting: I didn't know about this console :)
> I can access it with my "test" user, but I don't see the "My
Resources"
> menu entry (see screenshot).
> I created some resources owned by that user (using the API). But they
> don't show up.
> What did I missed?
>
> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Yeah, you can access those claims in a JS policy.
>>
>> Regarding the "account management console" take a look here:
>> https://www.keycloak.org/docs/latest/authorization_ser
>> vices/index.html#_service_authorization_api_aapi.
>>
>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont <
>> corentin.dupont(a)gmail.com> wrote:
>>
>>> Ok, I see the "claim_token" parameter in the request.
>>> I guess you can retrieve those claims in a javascript rule, from the
>>> evaluation context.
>>>
>>> By the way, I still cannot figure out where is the "account management
>>> console", where user can manager users access (as per the release
notes)??
>>>
>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva <psilva(a)redhat.com>
>>> wrote:
>>>
>>>> The new form of obtaining entitlements relies solely on the token
>>>> endpoint just like when you are obtaining access tokens using other
OAuth2
>>>> grant types. With that in mind the new format of the request should be a
>>>> HTTP POST + parameters. Check this documentation [1] for more details.
>>>>
>>>> Regarding pushing claims to your policies, there is a specific HTTP
>>>> parameter that you can use to pass a Base64 encoded JSON with the claims
>>>> you want to push.
>>>>
>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi
>>>> ces/index.html#_service_obtaining_permissions
>>>>
>>>>
>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont <
>>>> corentin.dupont(a)gmail.com> wrote:
>>>>
>>>>> Thanks Pedro, I went through the pull request.
>>>>> I'm not sure how to modify my entitlement requests?
>>>>> For example I have:
>>>>> curl -X POST -H "Content-Type: application/json" -H
"Authorization:
>>>>> Bearer $TOKEN" -d '{
>>>>> "permissions" : [
>>>>> {
>>>>> "resource_set_name" : "Sensors",
>>>>> "scopes" : [
>>>>> "sensors:update"
>>>>> ]
>>>>> }
>>>>> ]
>>>>> }'
"http://localhost:8080/auth/realms/waziup/authz/entitlement/
>>>>> waziup"
>>>>>
>>>>> This call has been moved to uma-2, right?
>>>>> Can I add pushed claims to this call? What I'm imagining is:
>>>>>
>>>>> curl -X POST -H "Content-Type: application/json" -H
"Authorization:
>>>>> Bearer $TOKEN" -d '{
>>>>> "permissions" : [
>>>>> {
>>>>> "resource_set_name" : "Sensors",
>>>>> "scopes" : [
>>>>> "sensors:update"
>>>>> ]
>>>>> }
>>>>> ],
>>>>> claims: ["owner": "cdupont"]
>>>>> }'
"http://localhost:8080/auth/realms/waziup/authz/entitlement/
>>>>> waziup"
>>>>>
>>>>> In this example, I would like to push the owner of the sensor
>>>>> ("cdupont"), which I take from our own database before
calling the API.
>>>>>
>>>>> Sorry about the questions, maybe I should just wait that the
>>>>> documentation is merged :)
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva
<psilva(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> We have a few changes to docs that were not released because the
PR
>>>>>> [1] was not merged on time. But you can check about pushed claims
(if you
>>>>>> are using our adapters) here [2].
>>>>>>
>>>>>> Regards.
>>>>>> Pedro igor
>>>>>>
>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402
>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi
>>>>>> ces/index.html#_enforcer_claim_information_point
>>>>>>
>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont <
>>>>>> corentin.dupont(a)gmail.com> wrote:
>>>>>>
>>>>>>> Hi guys,
>>>>>>> I'm playing with the new version of Keycloak (
>>>>>>>
https://www.keycloak.org/docs/latest/release_notes/index.html)
>>>>>>>
>>>>>>> I have some questions:
>>>>>>> - where is the "account management console"?
>>>>>>> - How to use pushed claims? Which APIs are affected?
>>>>>>>
>>>>>>> Thanks!
>>>>>>> Corentin
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>