[keycloak-dev] How to share a resource with a user via UMA 2.0 API
Pedro Igor Silva
psilva at redhat.com
Fri May 11 07:52:51 EDT 2018
On Fri, May 11, 2018 at 8:30 AM, Federico Michele Facca <
federico.facca at martel-innovate.com> wrote:
> Hi,
> We are looking into integrating keycloak UMA 2.0 APIs in our platform to
> allow users to share resources, ask access to resources, approve sharing,
> exactly how it is possible via the Keycloak Account UI.
> It looks like the Account UI is currently using directly keycloak java APIs
> to do so.
>
> Looking at the current REST API implementation it seems not possible that:
> 1. A owner shares directly a resource (without the user requesting that).
> 2. Lists the permissions related to resources of an owner, including also
> the information on who requested that.
>
We don't have API documented, something we should improve in the future.
We have a quickstart that can help you to achieve what you want. See
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
.
If you look this method:
https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-uma-photoz/photoz-restful-api/src/main/java/org/keycloak/example/photoz/album/AlbumService.java#L100
You will see that we are using the Permission Endpoint (the endpoint
responsible for managing permission tickets) to obtain all resources
*shared* with a specific user. In our AuthZ Java Client we have this method:
https://github.com/keycloak/keycloak/blob/master/authz/client/src/main/java/org/keycloak/authorization/client/resource/PermissionResource.java#L162
Which allows you to query for permission tickets using different filters.
The type PermissionResource also provides methods for CRUD permission
tickets.
Note that this API is targeted for resource servers and part of the
Protection API.
>
> In our understanding, to obtain 2. we should some how retrieve the
> Requester from the TicketStore and attach the information to the response
> (but this would "break" the UMA standard, as anyhow parameters as
> "returnNames=true" do, so maybe when the request is using
> "returnNames=true"
> we could attach as well the requester name and it).
>
> For 1, we have no clear ideas, if not adding "requester" as well in the
> ticket creation.
>
> Any hint would be highly appreciated, so that we can work up some
> implementation to provide both features.
>
> Thanks,
> Federico
>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/> - Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list