This is a scenario we don't support and we need to handle this properly
instead of throwing those errors.
Currently, user-managed access is based on users granting access to their
resources whe these users are set as the resource owner. Could you open a
RFE in JIRA with more details about your use case ?
On Tue, Jun 26, 2018 at 9:20 PM, Gary Schulte <gary.schulte(a)opengov.com>
Another interesting data point, if I create a uma permission ticket
service-client-owned resource, it breaks not only the authorization
evaluation for that resource, but all authorization evaluations - until I
delete the permission ticket.
On Tue, Jun 26, 2018 at 2:19 PM, Gary Schulte <gary.schulte(a)opengov.com>
> Hello all,
> I have some criteria for resource scope sharing that I am trying to
> reconcile. We are using keycloak to protect data resources. The data
> resources are created with a corresponding keycloak resource and scopes.
> These resources are logically owned by the resource creator, but we want
> have the resources technically owned by the service client for a couple
> * resources may be created by CS and "transitioned" to users
> * resources created by users who leave the organization should not be
> To accomplish this we have an owner scope which is a proxy for the actual
> resource ownership, and the service client actually owns all of the
> However, we want to allow users to share scopes dynamically. We are
> looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this
> sharing, and intend to continue to use policies for our administrative
> In testing, I have been able to grant and revoke permissions using the
> permission ticketing for service-client-owned resources. However when I
> attempt to use the evaluation console to verify the behavior, I get a 500
> error (and no logging on the keycloak side):
> Are UMA 2.0 permissions for service client owned resources a supported
> Gary Schulte
Gary Schulte I Software Engineer
| Washington DC
keycloak-user mailing list