4:07 p.m.
Created https://issues.jboss.org/browse/KEYCLOAK-7726
Thx
On Wed, Jun 27, 2018 at 6:52 AM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
This is a scenario we don't support and we need to handle this
properly
instead of throwing those errors.
Currently, user-managed access is based on users granting access to their
resources whe these users are set as the resource owner. Could you open a
RFE in JIRA with more details about your use case ?
Regards.
Pedro Igor
On Tue, Jun 26, 2018 at 9:20 PM, Gary Schulte <gary.schulte(a)opengov.com>
wrote:
> Another interesting data point, if I create a uma permission ticket for a
> service-client-owned resource, it breaks not only the authorization
> evaluation for that resource, but all authorization evaluations - until I
> delete the permission ticket.
>
> On Tue, Jun 26, 2018 at 2:19 PM, Gary Schulte <gary.schulte(a)opengov.com>
> wrote:
>
> > Hello all,
> >
> > I have some criteria for resource scope sharing that I am trying to
> > reconcile. We are using keycloak to protect data resources. The data
> > resources are created with a corresponding keycloak resource and scopes.
> > These resources are logically owned by the resource creator, but we
> want to
> > have the resources technically owned by the service client for a couple
> > reasons:
> >
> > * resources may be created by CS and "transitioned" to users
> > * resources created by users who leave the organization should not be
> > orphaned
> >
> > To accomplish this we have an owner scope which is a proxy for the
> actual
> > resource ownership, and the service client actually owns all of the
> > resources.
> >
> > However, we want to allow users to share scopes dynamically. We are
> > looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this
> > sharing, and intend to continue to use policies for our administrative
> RBAC
> > scenarios.
> >
> > In testing, I have been able to grant and revoke permissions using the
> > permission ticketing for service-client-owned resources. However when I
> > attempt to use the evaluation console to verify the behavior, I get a
> 500
> > error (and no logging on the keycloak side):
> >
> >
{"error":"server_error","error_description":"Error
while evaluating
> > permissions."}
> >
> > Are UMA 2.0 permissions for service client owned resources a supported
> use
> > case?
> >
> > TIA
> >
> > Gary Schulte
> >
>