Re: [keycloak-user] Listing the UMA resources accessible by a user

-----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user- bounces(a)lists.jboss.org&gt; On Behalf Of roxspring(a)imapmail.org Sent: 07 March 2019 14:47 To: 'Pedro Igor Silva' <psilva(a)redhat.com&gt; Cc: 'keycloak-user' <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Listing the UMA resources accessible by a user Thanks Pedro – that gives me something to try out! (Turns out I was using an old client and didn’t have that API available… time for some upgrades!) From: Pedro Igor Silva <psilva(a)redhat.com&gt; Sent: 07 March 2019 13:36 To: roxspring(a)imapmail.org Cc: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Listing the UMA resources accessible by a user Hi, We have an API that allows you to resources shared to a specific user if the access was granted based on the standard UMA flow (using permission tickets). The Keycloak AuthZ Java Client [1] provides access to this API. [1] https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b1 1e8b1a499c6/authz/client/src/main/java/org/keycloak/authorization/client/res ource/PermissionResource.java#L197 On Thu, Mar 7, 2019 at 10:21 AM <roxspring(a)imapmail.org <mailto:roxspring@imapmail.org> > wrote: Hi folks, UMA seems to be a great solution to model fine grained permissions and allow scenarios such as "Alice shares Folder X with Bob". Keycloak seems to implement this well with APIs for the resource server to ask "Given [User] and [Folder X], can the user do [Scope]?" and provide answers for both Alice and Bob based on some policy. Where I'm struggling is that our application also needs to provide answer "Given [User], which folders can they do [Scope] to?" and I'm not clear how best to achieve this with Keycloak. A. Track which folders a user owns or can access and answer the question directly in the resource server, but that results in the resource server having a rigid model of the authorization rules and loses the benefits of Keycloak's flexible policies (or duplicates the policy which seems just as bad). B. Have the resource server chose some subset of all folders and ask Keycloak to validate each resource, but that becomes very chatty and slow when there are 1000s of resources to validate. C. Just ask Keycloak to validate all resources and just return those the user can access, but that's also potentially slow with 1000s of resources to validate and 100s accessible. a. As above but with additional filtering by resource type to trim the options. b. As above but with additional filtering by attributes (e.g. where property:owner = "Alice") c. As above but with a full blown query language (e.g. "WHERE type=Folder AND (property:owner=Alice OR property:sharedwith contains Alice) D. .? I was expecting some variant of C to be the recommended way forward but I can't find the relevant APIs (even without filtering). What's the best way to model such a (presumably common) scenario? Thanks, Rob _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user