10:27 a.m.
Hello there,
I'm trying to determine the best way to manage access to resources in
a per user/group manner. I know it's possible to define an owner for a
resource but in my use-case I'd like to give a ownership to a resource
to a group of users.
This way, if any user outside of this group requested access to a
resource, any user inside the group would be able grant access
permissions to it.
What I'm currently doing is defining an attribute for each resource
called "owners" and giving it a comma separated list of IDs of the
users that own the resource. Then in the policies I control access
like this:
var permission = $evaluation.getPermission();
var identity = $evaluation.getContext().getIdentity();
var resource = permission.getResource();
var attributes = resource.getAttributes();
if (attributes['owners']) {
for(var i in attributes['owners']) {
if (attributes['owners'][i] == identity.getId()) {
$evaluation.grant();
}
}
}
It works ok... But the downside is, if in my application I want to
list all resources the user has access to, this requires me to query
every individual resource and iterate this comma separated list.
Is there an easier way? Maybe I'm missing something when it comes to UMA?
Thank you and great work on the authz module.
I hope you're not getting this email twice because I wasn't sure if I
had to register myself first into the mailist.
Best regards,
Silva
1:31 p.m.
New subject: [UMA] Submitting Permission Request
Hello,
I'm trying to implement a frontend interface for requesting
permissions to resource owners, however I'm having trouble
understanding what a "permission_ticket" is.
According to the documentation
(https://www.keycloak.org/docs/latest/authorization_services/#_service_aut...),
a permission request requires a "ticket=${permission_ticket}" parameter. How do
I obtain this ticket? Can I build it
myself?
The previous section states: "The resource server sends a response
back to the client with a permission ticket and a as_uri parameter
with the location of a Keycloak server to where the ticket should be
sent in order to obtain an RPT." But I'm not sure how I make my
API/Resource Server do this.
Can I request access to a resource owner through any another method?
Thank you,
Silva
7:47 a.m.
New subject: [UMA] Submitting Permission Request
Hi,
From a frontend perspective, you get a PT after trying to access a UMA
protected resource for the first time (when lacking the required
permissions). You should be able to obtain it through the WWW-Authenticate
header as described here
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
.
But you should also be able to obtain permissions for a resource owner by
just invoking the token endpoint directly as described here
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...,
as long as the access token you pass (as a bearer, for instance) is
representing the owner as the subject.
On Fri, Nov 15, 2019 at 4:33 PM <sesnor.silva(a)sapo.pt> wrote:
Hello,
I'm trying to implement a frontend interface for requesting
permissions to resource owners, however I'm having trouble
understanding what a "permission_ticket" is.
According to the documentation
(
https://www.keycloak.org/docs/latest/authorization_services/#_service_aut...),
a permission request requires a "ticket=${permission_ticket}" parameter.
How do I obtain this ticket? Can I build it
myself?
The previous section states: "The resource server sends a response
back to the client with a permission ticket and a as_uri parameter
with the location of a Keycloak server to where the ticket should be
sent in order to obtain an RPT." But I'm not sure how I make my
API/Resource Server do this.
Can I request access to a resource owner through any another method?
Thank you,
Silva
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:37 a.m.
New subject: [UMA] Submitting Permission Request
Hi Pedro,
Thank you for your reply.
Sadly I'm still having trouble understanding how this "ticket" is
generated. Is this something that you have to generate on the
backend/resource server manually? I.E. Do I generate this ticket every
time there's a HTTP 401 error? If so, what are the rules for
generating it? How will keycloak know that is ticket is legitimate how
does it know which resource it's pointing to?
Thank you and best regards,
Silva
Citando Pedro Igor Silva <psilva(a)redhat.com>:
Hi,
From a frontend perspective, you get a PT after trying to access a
UMA protected resource for the first time (when lacking the required
permissions). You should be able to obtain it through the
WWW-Authenticate header as described
here https://www.keycloak.org/docs/latest/authorization_services/index.ht....
But you should also be able to obtain permissions for a resource
owner by just invoking the token endpoint directly as described
here https://www.keycloak.org/docs/latest/authorization_services/index.ht...,
as long as the access token you pass (as a bearer, for instance) is representing the owner
as the
subject.
On Fri, Nov 15, 2019 at 4:33 PM <sesnor.silva(a)sapo.pt> wrote:
> Hello,
>
> I'm trying to implement a frontend interface for requesting
> permissions to resource owners, however I'm having trouble
> understanding what a "permission_ticket" is.
>
> According to the documentation
>
(https://www.keycloak.org/docs/latest/authorization_services/#_service_aut...),
a permission request requires a "ticket=${permission_ticket}" parameter. How do
I obtain this ticket? Can I build
> it
> myself?
>
> The previous section states: "The resource server sends a response
> back to the client with a permission ticket and a as_uri parameter
> with the location of a Keycloak server to where the ticket should be
> sent in order to obtain an RPT." But I'm not sure how I make my
> API/Resource Server do this.
>
> Can I request access to a resource owner through any another method?
>
> Thank you,
> Silva
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
1:08 p.m.
New subject: [UMA] Submitting Permission Request
On Tue, Nov 26, 2019 at 12:37 PM <sesnor.silva(a)sapo.pt> wrote:
Hi Pedro,
Thank you for your reply.
Sadly I'm still having trouble understanding how this "ticket" is
generated. Is this something that you have to generate on the
backend/resource server manually? I.E. Do I generate this ticket every time
there's a HTTP 401 error? If so, what are the rules for generating it? How
will keycloak know that is ticket is legitimate how does it know which
resource it's pointing to?
Yes, the ticket is created based on an API call from your application
(resource server) to the Protection API (see
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
).
Every time a request is lacking permissions, your application make this
call to generate a ticket referencing the resource/scopes being requested.
The ticket has a very short lifetime, audience and is signed. That is
basically what we use when validating it.
Thank you and best regards,
Silva
Citando Pedro Igor Silva <psilva(a)redhat.com>:
Hi,
From a frontend perspective, you get a PT after trying to access a UMA
protected resource for the first time (when lacking the required
permissions). You should be able to obtain it through the WWW-Authenticate
header as described here
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
.
But you should also be able to obtain permissions for a resource owner by
just invoking the token endpoint directly as described here
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...,
as long as the access token you pass (as a bearer, for instance) is
representing the owner as the subject.
On Fri, Nov 15, 2019 at 4:33 PM <sesnor.silva(a)sapo.pt> wrote:
> Hello,
>
> I'm trying to implement a frontend interface for requesting
> permissions to resource owners, however I'm having trouble
> understanding what a "permission_ticket" is.
>
> According to the documentation
> (
>
https://www.keycloak.org/docs/latest/authorization_services/#_service_aut...),
> a permission request requires a "ticket=${permission_ticket}" parameter.
> How do I obtain this ticket? Can I build it
> myself?
>
> The previous section states: "The resource server sends a response
> back to the client with a permission ticket and a as_uri parameter
> with the location of a Keycloak server to where the ticket should be
> sent in order to obtain an RPT." But I'm not sure how I make my
> API/Resource Server do this.
>
> Can I request access to a resource owner through any another method?
>
> Thank you,
> Silva
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
1858
days inactive
1870
days old
4 comments
2 participants
participants (2)
-
Pedro Igor Silva -
sesnor.silva@sapo.pt