[keycloak-user] UMA 2.0 permissions for service client owned resources

Pedro Igor Silva psilva at redhat.com
Wed Jun 27 09:52:02 EDT 2018


This is a scenario we don't support and we need to handle this properly
instead of throwing those errors.

Currently, user-managed access is based on users granting access to their
resources whe these users are set as the resource owner. Could you open a
RFE in JIRA with more details about your use case ?

Regards.
Pedro Igor


On Tue, Jun 26, 2018 at 9:20 PM, Gary Schulte <gary.schulte at opengov.com>
wrote:

> Another interesting data point, if I create a uma permission ticket for a
> service-client-owned resource, it breaks not only the authorization
> evaluation for that resource, but all authorization evaluations - until I
> delete the permission ticket.
>
> On Tue, Jun 26, 2018 at 2:19 PM, Gary Schulte <gary.schulte at opengov.com>
> wrote:
>
> > Hello all,
> >
> > I have some criteria for resource scope sharing that I am trying to
> > reconcile.  We are using keycloak to protect data resources.  The data
> > resources are created with a corresponding keycloak resource and scopes.
> > These resources are logically owned by the resource creator, but we want
> to
> > have the resources technically owned by the service client for a couple
> > reasons:
> >
> >  * resources may be created by CS and "transitioned" to users
> >  * resources created by users who leave the organization should not be
> > orphaned
> >
> > To accomplish this we have an owner scope which is a proxy for the actual
> > resource ownership, and the service client actually owns all of the
> > resources.
> >
> > However, we want to allow users to share scopes dynamically.  We are
> > looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this
> > sharing, and intend to continue to use policies for our administrative
> RBAC
> > scenarios.
> >
> > In testing, I have been able to grant and revoke permissions using the
> > permission ticketing for service-client-owned resources.  However when I
> > attempt to use the evaluation console to verify the behavior, I get a 500
> > error (and no logging on the keycloak side):
> >
> >   {"error":"server_error","error_description":"Error while evaluating
> > permissions."}
> >
> > Are UMA 2.0 permissions for service client owned resources a supported
> use
> > case?
> >
> > TIA
> >
> > Gary Schulte
> >
>
>
>
> --
>
> Gary Schulte  I Software Engineer
>
> OpenGov
>
> 505-750-4279
>
> gary.schulte at opengov.com
>
> www.opengov.com
>
> Silicon Valley
> <https://www.google.com/maps/place/OpenGov+Inc/@37.4859652,
> -122.2121292,15z/data=!4m2!3m1!1s0x0:0xb84d4c3f06ecd893>
> | Washington DC
> <https://www.google.com/maps/place/1875+Connecticut+Ave+NW,
> +Washington,+DC+20009/@38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!
> 1s0x89b7b7cf85e25661:0x932fc62149d9247f>
>
> <https://www.google.com/maps/place/1875+Connecticut+Ave+NW,
> +Washington,+DC+20009/@38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1!
> 1s0x89b7b7cf85e25661:0x932fc62149d9247f>
> <https://www.linkedin.com/company/opengov-inc>
> <https://www.facebook.com/opengovinc>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list