[keycloak-user] RPT can not be issued to resource owner
stefan.wachter
stefan.wachter at bosch-si.com
Wed Jul 18 12:14:06 EDT 2018
https://issues.jboss.org/browse/KEYCLOAK-7886
Best regards,
*Stefan Wachter
INST-ICM/BSV-BS*
Tel. +49(711)811-58477
*Be**QIK
*
Am 18.07.2018 um 16:10 schrieb Pedro Igor Silva:
> Could you file a JIRA for this, please ? Let's see what others thinks
> about it ...
>
> Thanks.
>
> On Wed, Jul 18, 2018 at 9:53 AM, stefan.wachter
> <stefan.wachter at bosch-si.com <mailto:stefan.wachter at bosch-si.com>> wrote:
>
> Agree. However, if a resource owner does not have enough grants by
> default then the approval mechanism should kick in. This is at
> least what the response error "request_submitted" indicates.
>
> Best regards,
>
> *Stefan Wachter
> INST-ICM/BSV-BS*
>
> Tel. +49(711)811-58477
>
> *Be**QIK
> *
>
> Am 18.07.2018 um 14:11 schrieb Pedro Igor Silva:
>> The owner of a resource does not grants necessarily access to the
>> resource. So, yeah, you need some policy to actually define who
>> can access (the owner) the resource. I'm not sure if makes sense
>> to owners approve requests to access their resources though.
>>
>> On Wed, Jul 18, 2018 at 6:30 AM, stefan.wachter
>> <stefan.wachter at bosch-si.com
>> <mailto:stefan.wachter at bosch-si.com>> wrote:
>>
>> As a work-around I added a policy that authorizes resource
>> owners:
>>
>> if ($evaluation.getContext().getIdentity().getId() ==
>> $evaluation.getPermission().getResource().getOwner())
>> $evaluation.grant()
>>
>> and a permission that uses that policy.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>
>
More information about the keycloak-user
mailing list