hi corentin,
long time!
On 27 June 2018 at 17:21, Corentin Dupont <corentin.dupont(a)gmail.com> wrote:
That's great, I was able to "share" a resource in my
account console.
As a keycloak admin, where to see all the sharings performed by users?
Also, how to take into account this sharing in permission evaluation?
Should I write specific policies to take into resource sharing?
For instance, I have a javascript policy to authorize the resource owner to
access his resource.
Should I write a "is shared with you" policy?
no, you don't :) UMA policies (so resource sharing by user) have priority
on any other admin defined policy.
Pedro can correct me if I am wrong :)
Cheers,
Fede
On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Think we are missing this in docs :)
>
> You need to enable "User-Managed Access" in Realm Settings (General tab).
>
> On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont <
> corentin.dupont(a)gmail.com> wrote:
>
>> OK, interesting: I didn't know about this console :)
>> I can access it with my "test" user, but I don't see the "My
Resources"
>> menu entry (see screenshot).
>> I created some resources owned by that user (using the API). But they
>> don't show up.
>> What did I missed?
>>
>> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> Yeah, you can access those claims in a JS policy.
>>>
>>> Regarding the "account management console" take a look here:
>>>
https://www.keycloak.org/docs/latest/authorization_ser
>>> vices/index.html#_service_authorization_api_aapi.
>>>
>>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont <
>>> corentin.dupont(a)gmail.com> wrote:
>>>
>>>> Ok, I see the "claim_token" parameter in the request.
>>>> I guess you can retrieve those claims in a javascript rule, from the
>>>> evaluation context.
>>>>
>>>> By the way, I still cannot figure out where is the "account
management
>>>> console", where user can manager users access (as per the release
notes)??
>>>>
>>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva
<psilva(a)redhat.com>
>>>> wrote:
>>>>
>>>>> The new form of obtaining entitlements relies solely on the token
>>>>> endpoint just like when you are obtaining access tokens using other
OAuth2
>>>>> grant types. With that in mind the new format of the request should
be a
>>>>> HTTP POST + parameters. Check this documentation [1] for more
details.
>>>>>
>>>>> Regarding pushing claims to your policies, there is a specific HTTP
>>>>> parameter that you can use to pass a Base64 encoded JSON with the
claims
>>>>> you want to push.
>>>>>
>>>>> [1]
https://www.keycloak.org/docs/latest/authorization_servi
>>>>> ces/index.html#_service_obtaining_permissions
>>>>>
>>>>>
>>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont <
>>>>> corentin.dupont(a)gmail.com> wrote:
>>>>>
>>>>>> Thanks Pedro, I went through the pull request.
>>>>>> I'm not sure how to modify my entitlement requests?
>>>>>> For example I have:
>>>>>> curl -X POST -H "Content-Type: application/json" -H
"Authorization:
>>>>>> Bearer $TOKEN" -d '{
>>>>>> "permissions" : [
>>>>>> {
>>>>>> "resource_set_name" :
"Sensors",
>>>>>> "scopes" : [
>>>>>> "sensors:update"
>>>>>> ]
>>>>>> }
>>>>>> ]
>>>>>> }'
"http://localhost:8080/auth/realms/waziup/authz/entitlement/
>>>>>> waziup"
>>>>>>
>>>>>> This call has been moved to uma-2, right?
>>>>>> Can I add pushed claims to this call? What I'm imagining
is:
>>>>>>
>>>>>> curl -X POST -H "Content-Type: application/json" -H
"Authorization:
>>>>>> Bearer $TOKEN" -d '{
>>>>>> "permissions" : [
>>>>>> {
>>>>>> "resource_set_name" :
"Sensors",
>>>>>> "scopes" : [
>>>>>> "sensors:update"
>>>>>> ]
>>>>>> }
>>>>>> ],
>>>>>> claims: ["owner": "cdupont"]
>>>>>> }'
"http://localhost:8080/auth/realms/waziup/authz/entitlement/
>>>>>> waziup"
>>>>>>
>>>>>> In this example, I would like to push the owner of the sensor
>>>>>> ("cdupont"), which I take from our own database before
calling the
API.
>>>>>>
>>>>>> Sorry about the questions, maybe I should just wait that the
>>>>>> documentation is merged :)
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva <
psilva(a)redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> We have a few changes to docs that were not released because
the PR
>>>>>>> [1] was not merged on time. But you can check about pushed
claims
(if you
>>>>>>> are using our adapters) here [2].
>>>>>>>
>>>>>>> Regards.
>>>>>>> Pedro igor
>>>>>>>
>>>>>>> [1]
https://github.com/keycloak/keycloak-documentation/pull/402
>>>>>>> [2]
https://www.keycloak.org/docs/latest/authorization_servi
>>>>>>> ces/index.html#_enforcer_claim_information_point
>>>>>>>
>>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont <
>>>>>>> corentin.dupont(a)gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi guys,
>>>>>>>> I'm playing with the new version of Keycloak (
>>>>>>>>
https://www.keycloak.org/docs/latest/release_notes/index.html)
>>>>>>>>
>>>>>>>> I have some questions:
>>>>>>>> - where is the "account management console"?
>>>>>>>> - How to use pushed claims? Which APIs are affected?
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>> Corentin
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <
- Professional
support for innovation projects
Click to download our innovators' insights!
<