5:57 p.m.
Hi All,
first of all Thanks for the great work. I have been using Keycloak in a
Project for a couple of Months now and really like it.
I started to try out the UMA 2.0 Flow because it would be very nice to be able to share a
resource with other Users.
Given the following 4 Steps, i don't understand why the Permissions are not in the RPT
token
// Code for Steps 1 and 2 taken from here
//
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar...
// Code for Steps 3 and 4 taken from here
//
https://www.keycloak.org/docs/latest/authorization_services/index.html#ob...
1) Creating a Resource "Resource A" with Owner "demo"
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("demo");
resource.addScope("Scope A");
resource = getAuthzClient().protection().resource().create(resource);
2) Creating the User Permission for User "test"
UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();
newPermission.setName("User-Managed Permission");
newPermission.setDescription("User is allowed to access");
newPermission.addScope("Scope A");
newPermission.addUser("test");
ProtectionResource protection = getAuthzClient().protection("demo",
"demo");
UmaPermissionRepresentation permission =
protection.policy(resource.getId()).create(newPermission);
3) get a RPT for the User "test" for all Resources
AuthzClient authzClient = AuthzClient.create();
AuthorizationRequest request = new AuthorizationRequest();
AuthorizationResponse response = authzClient.authorization("test",
"test").authorize(request);
String rpt = response.getToken();
4) Listing the Permissions
TokenIntrospectionResponse requestingPartyToken =
authzClient.protection().introspectRequestingPartyToken(rpt);
System.out.println("Token status is: " + requestingPartyToken.getActive());
System.out.println("Permissions granted by the server: ");
for (Permission granted : requestingPartyToken.getPermissions()) {
System.out.println(granted);
}
The Resource and Permission are saved correctly, i can correctly read them via the AuthZ
Client
but now i would assume that the Permission is in the RPT of the User "test".
Is this Assumption maybe already incorrect and i got a bit lost? Or is there probably a
problem in my Code because the Permission should be listed there?
Btw. if i skip Step 2) and instead share the the Resource with the User in the
"Keycloak -> My Account-> My Resources" Page, it works. But not
with the UmaPermissionRepresentation.
Thank you in Advance
Best regards,
Christian Sandmeier
11:55 a.m.
Hi all,
as soon as i add concrete Resources to the AuthorizationRequest it works.
So in Step 3 i added
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(„resource id x“)
request.addPermission(„resource id y“)
Then the Permission for these Resources are shown in the RPT.
Best regards,
Christian
Am 08.01.2019 um 17:57 schrieb Christian Sandmeier
<Christian.Sandmeier@vivai.de<mailto:Christian.Sandmeier@vivai.de>>:
Hi All,
first of all Thanks for the great work. I have been using Keycloak in a
Project for a couple of Months now and really like it.
I started to try out the UMA 2.0 Flow because it would be very nice to be able to share a
resource with other Users.
Given the following 4 Steps, i don't understand why the Permissions are not in the RPT
token
// Code for Steps 1 and 2 taken from here
//
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar...
// Code for Steps 3 and 4 taken from here
//
https://www.keycloak.org/docs/latest/authorization_services/index.html#ob...
1) Creating a Resource "Resource A" with Owner "demo"
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("demo");
resource.addScope("Scope A");
resource = getAuthzClient().protection().resource().create(resource);
2) Creating the User Permission for User "test"
UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();
newPermission.setName("User-Managed Permission");
newPermission.setDescription("User is allowed to access");
newPermission.addScope("Scope A");
newPermission.addUser("test");
ProtectionResource protection = getAuthzClient().protection("demo",
"demo");
UmaPermissionRepresentation permission =
protection.policy(resource.getId()).create(newPermission);
3) get a RPT for the User "test" for all Resources
AuthzClient authzClient = AuthzClient.create();
AuthorizationRequest request = new AuthorizationRequest();
AuthorizationResponse response = authzClient.authorization("test",
"test").authorize(request);
String rpt = response.getToken();
4) Listing the Permissions
TokenIntrospectionResponse requestingPartyToken =
authzClient.protection().introspectRequestingPartyToken(rpt);
System.out.println("Token status is: " + requestingPartyToken.getActive());
System.out.println("Permissions granted by the server: ");
for (Permission granted : requestingPartyToken.getPermissions()) {
System.out.println(granted);
}
The Resource and Permission are saved correctly, i can correctly read them via the AuthZ
Client
but now i would assume that the Permission is in the RPT of the User "test".
Is this Assumption maybe already incorrect and i got a bit lost? Or is there probably a
problem in my Code because the Permission should be listed there?
Btw. if i skip Step 2) and instead share the the Resource with the User in the
"Keycloak -> My Account-> My Resources" Page, it works. But not
with the UmaPermissionRepresentation.
Thank you in Advance
Best regards,
Christian Sandmeier
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:52 p.m.
Hi,
Glad you got it working. I should probably update docs with that too, but
when doing UMA and requesting access to resources where the owner is not
the user you need to pass the resource ID. The reason is that resources can
have the same name if they belong to different owners, so you need to
explicitly inform the resource you want to access. If the owner is the
identity making the request, you can use names ....
On Fri, Jan 11, 2019 at 9:00 AM Christian Sandmeier <
Christian.Sandmeier(a)vivai.de> wrote:
Hi all,
as soon as i add concrete Resources to the AuthorizationRequest it works.
So in Step 3 i added
AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(„resource id x“)
request.addPermission(„resource id y“)
Then the Permission for these Resources are shown in the RPT.
Best regards,
Christian
Am 08.01.2019 um 17:57 schrieb Christian Sandmeier <
Christian.Sandmeier@vivai.de<mailto:Christian.Sandmeier@vivai.de>>:
Hi All,
first of all Thanks for the great work. I have been using Keycloak in a
Project for a couple of Months now and really like it.
I started to try out the UMA 2.0 Flow because it would be very nice to be
able to share a resource with other Users.
Given the following 4 Steps, i don't understand why the Permissions are
not in the RPT token
// Code for Steps 1 and 2 taken from here
//
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar...
// Code for Steps 3 and 4 taken from here
//
https://www.keycloak.org/docs/latest/authorization_services/index.html#ob...
1) Creating a Resource "Resource A" with Owner "demo"
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("demo");
resource.addScope("Scope A");
resource = getAuthzClient().protection().resource().create(resource);
2) Creating the User Permission for User "test"
UmaPermissionRepresentation newPermission = new
UmaPermissionRepresentation();
newPermission.setName("User-Managed Permission");
newPermission.setDescription("User is allowed to access");
newPermission.addScope("Scope A");
newPermission.addUser("test");
ProtectionResource protection = getAuthzClient().protection("demo",
"demo");
UmaPermissionRepresentation permission =
protection.policy(resource.getId()).create(newPermission);
3) get a RPT for the User "test" for all Resources
AuthzClient authzClient = AuthzClient.create();
AuthorizationRequest request = new AuthorizationRequest();
AuthorizationResponse response = authzClient.authorization("test",
"test").authorize(request);
String rpt = response.getToken();
4) Listing the Permissions
TokenIntrospectionResponse requestingPartyToken =
authzClient.protection().introspectRequestingPartyToken(rpt);
System.out.println("Token status is: " + requestingPartyToken.getActive());
System.out.println("Permissions granted by the server: ");
for (Permission granted : requestingPartyToken.getPermissions()) {
System.out.println(granted);
}
The Resource and Permission are saved correctly, i can correctly read them
via the AuthZ Client
but now i would assume that the Permission is in the RPT of the User
"test".
Is this Assumption maybe already incorrect and i got a bit lost? Or is
there probably a
problem in my Code because the Permission should be listed there?
Btw. if i skip Step 2) and instead share the the Resource with the User in
the "Keycloak -> My Account-> My Resources" Page, it works. But not
with the UmaPermissionRepresentation.
Thank you in Advance
Best regards,
Christian Sandmeier
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2205
days inactive
2208
days old
2 comments
2 participants
participants (2)
-
Christian Sandmeier -
Pedro Igor Silva