[keycloak-dev] Authorization Services and UMA 2.0 changes

Pedro Igor Silva psilva at redhat.com
Mon Jan 22 08:07:02 EST 2018

Hi All,

We are about to finish the initial round of changes to make Keycloak
Authorization Services compliant with UMA 2.0.

One of the main changes is related with a new OAuth2 Grant Type introduced
by UMA 2.0 [1] and how it will be used as a replacement for both
Entitlement and Authorization API. In UMA 2.0, there is no Authorization
API anymore, thus it will be removed on future versions of Keycloak.
Regarding Entitlement API, it will also be removed in favor of the new
grant type, but in this case we are using some extensions to UMA grant type
to provide the same functionality. One of the objectives of this change in
particular is to have a single endpoint from where permissions can be

Another important change is also related with UMA where end-users should be
able now to manage their own resource and permissions via Account
Management Console. Users would be able to access a "Resource" page from
where they can:

* See the resources they own
* Check for pending permission requests (waiting for the owners approval).
As well options to grant/deny the request.
* Check for all "shared resources" / granted permissions. As well options
to revoke permissions
* Select an user they want to grant access to a resource and/or scope

Other changes are related with the Policy Enforcer, Authorization Client
Java API and configuration. For these areas in particular changes are
minimal, specially regarding policy enforcer configuration.

These changes are targeted to Keycloak v4 and we'll be updating docs
accordingly, specially on how to migrate to the new version.

Pedro Igor

[1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-09.html

More information about the keycloak-dev mailing list