9:52 a.m.
This is a scenario we don't support and we need to handle this properly
instead of throwing those errors.
Currently, user-managed access is based on users granting access to their
resources whe these users are set as the resource owner. Could you open a
RFE in JIRA with more details about your use case ?
Regards.
Pedro Igor
On Tue, Jun 26, 2018 at 9:20 PM, Gary Schulte <gary.schulte(a)opengov.com>
wrote:
Another interesting data point, if I create a uma permission ticket
for a
service-client-owned resource, it breaks not only the authorization
evaluation for that resource, but all authorization evaluations - until I
delete the permission ticket.
On Tue, Jun 26, 2018 at 2:19 PM, Gary Schulte <gary.schulte(a)opengov.com>
wrote:
> Hello all,
>
> I have some criteria for resource scope sharing that I am trying to
> reconcile. We are using keycloak to protect data resources. The data
> resources are created with a corresponding keycloak resource and scopes.
> These resources are logically owned by the resource creator, but we want
to
> have the resources technically owned by the service client for a couple
> reasons:
>
> * resources may be created by CS and "transitioned" to users
> * resources created by users who leave the organization should not be
> orphaned
>
> To accomplish this we have an owner scope which is a proxy for the actual
> resource ownership, and the service client actually owns all of the
> resources.
>
> However, we want to allow users to share scopes dynamically. We are
> looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this
> sharing, and intend to continue to use policies for our administrative
RBAC
> scenarios.
>
> In testing, I have been able to grant and revoke permissions using the
> permission ticketing for service-client-owned resources. However when I
> attempt to use the evaluation console to verify the behavior, I get a 500
> error (and no logging on the keycloak side):
>
>
{"error":"server_error","error_description":"Error
while evaluating
> permissions."}
>
> Are UMA 2.0 permissions for service client owned resources a supported
use
> case?
>
> TIA
>
> Gary Schulte
>
--
Gary Schulte I Software Engineer
OpenGov
505-750-4279
gary.schulte(a)opengov.com
www.opengov.com
Silicon Valley
<https://www.google.com/maps/place/OpenGov+Inc/@37.4859652,
-122.2121292,15z/data=!4m2!3m1!1s0x0:0xb84d4c3f06ecd893>
| Washington DC
<https://www.google.com/maps/place/1875+Connecticut+Ave+NW,
+Washington,+DC+20009/(a)38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!
1s0x89b7b7cf85e25661:0x932fc62149d9247f>
<https://www.google.com/maps/place/1875+Connecticut+Ave+NW,
+Washington,+DC+20009/(a)38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!
1s0x89b7b7cf85e25661:0x932fc62149d9247f>
<https://www.linkedin.com/company/opengov-inc>
<https://www.facebook.com/opengovinc>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user