[keycloak-user] UMA 2.0 permissions for service client owned resources

Gary Schulte gary.schulte at opengov.com
Tue Jun 26 20:20:49 EDT 2018 

Another interesting data point, if I create a uma permission ticket for a
service-client-owned resource, it breaks not only the authorization
evaluation for that resource, but all authorization evaluations - until I
delete the permission ticket.

On Tue, Jun 26, 2018 at 2:19 PM, Gary Schulte <gary.schulte at opengov.com>
wrote:

> Hello all,
>
> I have some criteria for resource scope sharing that I am trying to
> reconcile.  We are using keycloak to protect data resources.  The data
> resources are created with a corresponding keycloak resource and scopes.
> These resources are logically owned by the resource creator, but we want to
> have the resources technically owned by the service client for a couple
> reasons:
>
>  * resources may be created by CS and "transitioned" to users
>  * resources created by users who leave the organization should not be
> orphaned
>
> To accomplish this we have an owner scope which is a proxy for the actual
> resource ownership, and the service client actually owns all of the
> resources.
>
> However, we want to allow users to share scopes dynamically.  We are
> looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this
> sharing, and intend to continue to use policies for our administrative RBAC
> scenarios.
>
> In testing, I have been able to grant and revoke permissions using the
> permission ticketing for service-client-owned resources.  However when I
> attempt to use the evaluation console to verify the behavior, I get a 500
> error (and no logging on the keycloak side):
>
>   {"error":"server_error","error_description":"Error while evaluating
> permissions."}
>
> Are UMA 2.0 permissions for service client owned resources a supported use
> case?
>
> TIA
>
> Gary Schulte
>



-- 

Gary Schulte  I Software Engineer

OpenGov

505-750-4279

gary.schulte at opengov.com

www.opengov.com

Silicon Valley
<https://www.google.com/maps/place/OpenGov+Inc/@37.4859652,-122.2121292,15z/data=!4m2!3m1!1s0x0:0xb84d4c3f06ecd893>
| Washington DC
<https://www.google.com/maps/place/1875+Connecticut+Ave+NW,+Washington,+DC+20009/@38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!1s0x89b7b7cf85e25661:0x932fc62149d9247f>

<https://www.google.com/maps/place/1875+Connecticut+Ave+NW,+Washington,+DC+20009/@38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!1s0x89b7b7cf85e25661:0x932fc62149d9247f>
<https://www.linkedin.com/company/opengov-inc>
<https://www.facebook.com/opengovinc>

More information about the keycloak-user mailing list