7:07 a.m.
Hi All,
We are about to finish the initial round of changes to make Keycloak
Authorization Services compliant with UMA 2.0.
One of the main changes is related with a new OAuth2 Grant Type introduced
by UMA 2.0 [1] and how it will be used as a replacement for both
Entitlement and Authorization API. In UMA 2.0, there is no Authorization
API anymore, thus it will be removed on future versions of Keycloak.
Regarding Entitlement API, it will also be removed in favor of the new
grant type, but in this case we are using some extensions to UMA grant type
to provide the same functionality. One of the objectives of this change in
particular is to have a single endpoint from where permissions can be
obtained.
Another important change is also related with UMA where end-users should be
able now to manage their own resource and permissions via Account
Management Console. Users would be able to access a "Resource" page from
where they can:
* See the resources they own
* Check for pending permission requests (waiting for the owners approval).
As well options to grant/deny the request.
* Check for all "shared resources" / granted permissions. As well options
to revoke permissions
* Select an user they want to grant access to a resource and/or scope
Other changes are related with the Policy Enforcer, Authorization Client
Java API and configuration. For these areas in particular changes are
minimal, specially regarding policy enforcer configuration.
These changes are targeted to Keycloak v4 and we'll be updating docs
accordingly, specially on how to migrate to the new version.
Regards.
Pedro Igor
[1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-09.html
8:09 a.m.
That sounds great, thanks a lot!
On Mon, Jan 22, 2018 at 2:07 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Hi All,
We are about to finish the initial round of changes to make Keycloak
Authorization Services compliant with UMA 2.0.
One of the main changes is related with a new OAuth2 Grant Type introduced
by UMA 2.0 [1] and how it will be used as a replacement for both
Entitlement and Authorization API. In UMA 2.0, there is no Authorization
API anymore, thus it will be removed on future versions of Keycloak.
Regarding Entitlement API, it will also be removed in favor of the new
grant type, but in this case we are using some extensions to UMA grant type
to provide the same functionality. One of the objectives of this change in
particular is to have a single endpoint from where permissions can be
obtained.
Another important change is also related with UMA where end-users should be
able now to manage their own resource and permissions via Account
Management Console. Users would be able to access a "Resource" page from
where they can:
* See the resources they own
* Check for pending permission requests (waiting for the owners approval).
As well options to grant/deny the request.
* Check for all "shared resources" / granted permissions. As well options
to revoke permissions
* Select an user they want to grant access to a resource and/or scope
Other changes are related with the Policy Enforcer, Authorization Client
Java API and configuration. For these areas in particular changes are
minimal, specially regarding policy enforcer configuration.
These changes are targeted to Keycloak v4 and we'll be updating docs
accordingly, specially on how to migrate to the new version.
Regards.
Pedro Igor
[1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-09.html
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:14 p.m.
Hi Pedro and all,
how is it going with those changes? Any landing date in view?
It looks very promising.
On Mon, Jan 29, 2018 at 3:09 PM, Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
That sounds great, thanks a lot!
On Mon, Jan 22, 2018 at 2:07 PM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Hi All,
>
> We are about to finish the initial round of changes to make Keycloak
> Authorization Services compliant with UMA 2.0.
>
> One of the main changes is related with a new OAuth2 Grant Type introduced
> by UMA 2.0 [1] and how it will be used as a replacement for both
> Entitlement and Authorization API. In UMA 2.0, there is no Authorization
> API anymore, thus it will be removed on future versions of Keycloak.
> Regarding Entitlement API, it will also be removed in favor of the new
> grant type, but in this case we are using some extensions to UMA grant
> type
> to provide the same functionality. One of the objectives of this change in
> particular is to have a single endpoint from where permissions can be
> obtained.
>
> Another important change is also related with UMA where end-users should
> be
> able now to manage their own resource and permissions via Account
> Management Console. Users would be able to access a "Resource" page from
> where they can:
>
> * See the resources they own
> * Check for pending permission requests (waiting for the owners approval).
> As well options to grant/deny the request.
> * Check for all "shared resources" / granted permissions. As well options
> to revoke permissions
> * Select an user they want to grant access to a resource and/or scope
>
> Other changes are related with the Policy Enforcer, Authorization Client
> Java API and configuration. For these areas in particular changes are
> minimal, specially regarding policy enforcer configuration.
>
> These changes are targeted to Keycloak v4 and we'll be updating docs
> accordingly, specially on how to migrate to the new version.
>
> Regards.
> Pedro Igor
>
> [1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-09.html
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
4:45 p.m.
PR is being reviewed. It should be merged very soon.
On Thu, Feb 22, 2018 at 5:14 PM, Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
Hi Pedro and all,
how is it going with those changes? Any landing date in view?
It looks very promising.
On Mon, Jan 29, 2018 at 3:09 PM, Corentin Dupont <
corentin.dupont(a)gmail.com> wrote:
> That sounds great, thanks a lot!
>
> On Mon, Jan 22, 2018 at 2:07 PM, Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Hi All,
>>
>> We are about to finish the initial round of changes to make Keycloak
>> Authorization Services compliant with UMA 2.0.
>>
>> One of the main changes is related with a new OAuth2 Grant Type
>> introduced
>> by UMA 2.0 [1] and how it will be used as a replacement for both
>> Entitlement and Authorization API. In UMA 2.0, there is no Authorization
>> API anymore, thus it will be removed on future versions of Keycloak.
>> Regarding Entitlement API, it will also be removed in favor of the new
>> grant type, but in this case we are using some extensions to UMA grant
>> type
>> to provide the same functionality. One of the objectives of this change
>> in
>> particular is to have a single endpoint from where permissions can be
>> obtained.
>>
>> Another important change is also related with UMA where end-users should
>> be
>> able now to manage their own resource and permissions via Account
>> Management Console. Users would be able to access a "Resource" page
from
>> where they can:
>>
>> * See the resources they own
>> * Check for pending permission requests (waiting for the owners
>> approval).
>> As well options to grant/deny the request.
>> * Check for all "shared resources" / granted permissions. As well
options
>> to revoke permissions
>> * Select an user they want to grant access to a resource and/or scope
>>
>> Other changes are related with the Policy Enforcer, Authorization Client
>> Java API and configuration. For these areas in particular changes are
>> minimal, specially regarding policy enforcer configuration.
>>
>> These changes are targeted to Keycloak v4 and we'll be updating docs
>> accordingly, specially on how to migrate to the new version.
>>
>> Regards.
>> Pedro Igor
>>
>> [1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.
>> 0-09.html
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
2499
days inactive
2530
days old
3 comments
2 participants
participants (2)
-
Corentin Dupont -
Pedro Igor Silva