Re: [keycloak-user] [keycloak-dev] How to share a resource with a user via UMA 2.0 API

Hi, On 11 May 2018 at 18:04, Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: > > > On Fri, May 11, 2018 at 10:19 AM, Federico Michele Facca < > federico.facca(a)martel-innovate.com&gt; wrote: > >> >> Now the first question was how to “share” directly a resource with a >> user. >> >> Currently using the API, supposing I am user A and I want to access a >> resource Z from user B, we proceed as follow (i hope is the correct way… >> any correction or guidance will be appreciated): >> >> 1. We create a permission request on the API (to get the ticket). E.g. >> read resource x >> >> 2. We use the ticket to ask for a rtp token using a user token. >> >> curl --request POST \ >> --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-con >> nect/token \ >> --header 'Authorization: Bearer xxx' \ >> --header 'Content-Type: application/x-www-form-urlencoded' \ >> --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-t >> icket&ticket=xxxx' >> >> If the user has already access, then he gets the rtp, if not he gets: >> >> { >> "error": "access_denied", >> "error_description": "request_submitted" >> } >> >> Only in this moment the permission ticket i created at step 1 appears in >> the list of permissions. (I am not sure this is the intended behaviour >> though). >> > > Yeah, that is the expected behavior. But you can also use a request > parameter to tell to the token endpoint that you don't want to submit an > authorization request. See https://www.keycloak.org/d > ocs/latest/authorization_services/index.html#_service_authorization_aat. > > >> >> Then is up to the owner to authorise access (via API we can do that by >> updating the permission and set granted to true) >> >> Now let’s suppose that I am the owner of the resource A, and I want to >> authorise directly (without the user asking access to the resource A) >> the user Z to access it. How can I do that? At the time being I could >> not figure it out. >> > > Similar to the update method, you can use the create method to create > permissions. Is that what you are looking for ? > See org.keycloak.testsuite.authz.PermissionManagementTest#te > stCreatePermissionTicketWithResourceName. > from what i see in the code, permission are persisted only when we invoking the token api with grant_type=urn:ietf: params:oauth:grant-type:uma-ticket so in my understanding there is now way (assuming I am the owner of the resource) to store directly the permission (with grant=true), which would what could be the way a user could share directly his resources as it is now possible in the interface. am I wrong? i am lost... i see that in the code you refer to i see that you invoke the token api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket you are setting the claim using the accessToken, but i don't see what this has to do with the ability of a resource owner to grant directly the access to a resource (i.e. creating a permission with grant = true) -- *Dr. FEDERICO MICHELE FACCA* *Head of Martel Lab* 0041 78 807 58 38 *Martel Innovate* <https://www.martel-innovate.com/> - Professional support for innovation projects Click to download our innovators' insights! <https://www.martel-innovate.com/premium-content/> Follow Us on Twitter <https://twitter.com/Martel_Innovate>