On Wed, Jun 27, 2018 at 12:21 PM, Corentin Dupont <corentin.dupont(a)gmail.com
wrote:
That's great, I was able to "share" a resource in my
account console.
As a keycloak admin, where to see all the sharings performed by users?
We don't have this in admin console. The user-managed policies are hidden
in the admin console, the reason being to avoid admins changing them
without user consent. This was a tuff decision and I'm open to discuss
different ideas if you think differently.
Also, how to take into account this sharing in permission evaluation?
Should I write specific policies to take into resource sharing?
For instance, I have a javascript policy to authorize the resource owner
to access his resource.
Should I write a "is shared with you" policy?
If you do that, you are just defining a regular policy it will not be
enough to let the user manage permissions via My Resources. This is how you
could achieve the "sharing" functionality before the latest changes to UMA.
However, we have also introduced a Policy API to the Protection API. From
this API you are able to create additional "user-managed" permissions and
still have your users able to manage them via My Resources. Documentation
is also updated in upstream/master.
This API basically allows you to define additional permissions to a user's
resource such as using roles, groups, clients or even conditions using JS.
>
>
>
>
>
> On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
>
>> Think we are missing this in docs :)
>>
>> You need to enable "User-Managed Access" in Realm Settings (General
tab).
>>
>> On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont <
>> corentin.dupont(a)gmail.com
wrote:
>>
>>> OK, interesting: I didn't know about this console :)
>>> I can access it with my "test" user, but I don't see the
"My Resources"
>>> menu entry (see screenshot).
>>> I created some resources owned by that user (using the API). But they
>>> don't show up.
>>> What did I missed?
>>>
>>> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva <psilva(a)redhat.com>
>>
wrote:
>>>
>>>> Yeah, you can access those claims in a JS policy.
>>>>
>>>> Regarding the "account management console" take a look here:
>>>>
https://www.keycloak.org/docs/latest/authorization_ser
>>>> vices/index.html#_service_authorization_api_aapi.
>>>>
>>>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont <
>>>> corentin.dupont(a)gmail.com
wrote:
>>>>
>>>>> Ok, I see the "claim_token" parameter in the request.
>>>>> I guess you can retrieve those claims in a javascript rule, from the
>>>>> evaluation context.
>>>>>
>>>>> By the way, I still cannot figure out where is the "account
management
>>>>> console", where user can manager users access (as per the
release notes)??
>>>>>
>>>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva
<psilva(a)redhat.com>
>>>>
wrote:
>>>>>
>>>>>> The new form of obtaining entitlements relies solely on the
token
>>>>>> endpoint just like when you are obtaining access tokens using
other OAuth2
>>>>>> grant types. With that in mind the new format of the request
should be a
>>>>>> HTTP POST + parameters. Check this documentation [1] for more
details.
>>>>>>
>>>>>> Regarding pushing claims to your policies, there is a specific
HTTP
>>>>>> parameter that you can use to pass a Base64 encoded JSON with the
claims
>>>>>> you want to push.
>>>>>>
>>>>>> [1]
https://www.keycloak.org/docs/latest/authorization_servi
>>>>>> ces/index.html#_service_obtaining_permissions
>>>>>>
>>>>>>
>>>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont <
>>>>>> corentin.dupont(a)gmail.com
wrote:
>>>>>>
>>>>>>> Thanks Pedro, I went through the pull request.
>>>>>>> I'm not sure how to modify my entitlement requests?
>>>>>>> For example I have:
>>>>>>> curl -X POST -H "Content-Type: application/json" -H
"Authorization:
>>>>>>> Bearer $TOKEN" -d '{
>>>>>>> "permissions" : [
>>>>>>> {
>>>>>>> "resource_set_name" :
"Sensors",
>>>>>>> "scopes" : [
>>>>>>> "sensors:update"
>>>>>>> ]
>>>>>>> }
>>>>>>> ]
>>>>>>> }'
"http://localhost:8080/auth/realms/waziup/authz/entitlement/
>>>>>>> waziup"
>>>>>>>
>>>>>>> This call has been moved to uma-2, right?
>>>>>>> Can I add pushed claims to this call? What I'm imagining
is:
>>>>>>>
>>>>>>> curl -X POST -H "Content-Type: application/json" -H
"Authorization:
>>>>>>> Bearer $TOKEN" -d '{
>>>>>>> "permissions" : [
>>>>>>> {
>>>>>>> "resource_set_name" :
"Sensors",
>>>>>>> "scopes" : [
>>>>>>> "sensors:update"
>>>>>>> ]
>>>>>>> }
>>>>>>> ],
>>>>>>> claims: ["owner": "cdupont"]
>>>>>>> }'
"http://localhost:8080/auth/realms/waziup/authz/entitlement/
>>>>>>> waziup"
>>>>>>>
>>>>>>> In this example, I would like to push the owner of the
sensor
>>>>>>> ("cdupont"), which I take from our own database
before calling the API.
>>>>>>>
>>>>>>> Sorry about the questions, maybe I should just wait that the
>>>>>>> documentation is merged :)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva
<psilva(a)redhat.com
>>>>>>>
wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> We have a few changes to docs that were not released
because the PR
>>>>>>>> [1] was not merged on time. But you can check about
pushed claims (if you
>>>>>>>> are using our adapters) here [2].
>>>>>>>>
>>>>>>>> Regards.
>>>>>>>> Pedro igor
>>>>>>>>
>>>>>>>> [1]
https://github.com/keycloak/keycloak-documentation/pull/402
>>>>>>>> [2]
https://www.keycloak.org/docs/latest/authorization_servi
>>>>>>>> ces/index.html#_enforcer_claim_information_point
>>>>>>>>
>>>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont <
>>>>>>>> corentin.dupont(a)gmail.com
wrote:
>>>>>>>>
>>>>>>>>> Hi guys,
>>>>>>>>> I'm playing with the new version of Keycloak (
>>>>>>>>>
https://www.keycloak.org/docs/latest/release_notes/index.html)
>>>>>>>>>
>>>>>>>>> I have some questions:
>>>>>>>>> - where is the "account management
console"?
>>>>>>>>> - How to use pushed claims? Which APIs are affected?
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>> Corentin
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>