Hello all,
I have some criteria for resource scope sharing that I am trying to
reconcile. We are using keycloak to protect data resources. The data
resources are created with a corresponding keycloak resource and scopes.
These resources are logically owned by the resource creator, but we want to
have the resources technically owned by the service client for a couple
reasons:
* resources may be created by CS and "transitioned" to users
* resources created by users who leave the organization should not be
orphaned
To accomplish this we have an owner scope which is a proxy for the actual
resource ownership, and the service client actually owns all of the
resources.
However, we want to allow users to share scopes dynamically. We are
looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this
sharing, and intend to continue to use policies for our administrative RBAC
scenarios.
In testing, I have been able to grant and revoke permissions using the
permission ticketing for service-client-owned resources. However when I
attempt to use the evaluation console to verify the behavior, I get a 500
error (and no logging on the keycloak side):
{"error":"server_error","error_description":"Error
while evaluating
permissions."}
Are UMA 2.0 permissions for service client owned resources a supported use
case?
TIA
Gary Schulte