[keycloak-user] Keycloak 4
Corentin Dupont
corentin.dupont at gmail.com
Wed Jun 27 11:21:28 EDT 2018
That's great, I was able to "share" a resource in my account console.
As a keycloak admin, where to see all the sharings performed by users?
Also, how to take into account this sharing in permission evaluation?
Should I write specific policies to take into resource sharing?
For instance, I have a javascript policy to authorize the resource owner to
access his resource.
Should I write a "is shared with you" policy?
On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
> Think we are missing this in docs :)
>
> You need to enable "User-Managed Access" in Realm Settings (General tab).
>
> On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> OK, interesting: I didn't know about this console :)
>> I can access it with my "test" user, but I don't see the "My Resources"
>> menu entry (see screenshot).
>> I created some resources owned by that user (using the API). But they
>> don't show up.
>> What did I missed?
>>
>> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Yeah, you can access those claims in a JS policy.
>>>
>>> Regarding the "account management console" take a look here:
>>> https://www.keycloak.org/docs/latest/authorization_ser
>>> vices/index.html#_service_authorization_api_aapi.
>>>
>>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Ok, I see the "claim_token" parameter in the request.
>>>> I guess you can retrieve those claims in a javascript rule, from the
>>>> evaluation context.
>>>>
>>>> By the way, I still cannot figure out where is the "account management
>>>> console", where user can manager users access (as per the release notes)??
>>>>
>>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> The new form of obtaining entitlements relies solely on the token
>>>>> endpoint just like when you are obtaining access tokens using other OAuth2
>>>>> grant types. With that in mind the new format of the request should be a
>>>>> HTTP POST + parameters. Check this documentation [1] for more details.
>>>>>
>>>>> Regarding pushing claims to your policies, there is a specific HTTP
>>>>> parameter that you can use to pass a Base64 encoded JSON with the claims
>>>>> you want to push.
>>>>>
>>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi
>>>>> ces/index.html#_service_obtaining_permissions
>>>>>
>>>>>
>>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Thanks Pedro, I went through the pull request.
>>>>>> I'm not sure how to modify my entitlement requests?
>>>>>> For example I have:
>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>>> Bearer $TOKEN" -d '{
>>>>>> "permissions" : [
>>>>>> {
>>>>>> "resource_set_name" : "Sensors",
>>>>>> "scopes" : [
>>>>>> "sensors:update"
>>>>>> ]
>>>>>> }
>>>>>> ]
>>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/
>>>>>> waziup"
>>>>>>
>>>>>> This call has been moved to uma-2, right?
>>>>>> Can I add pushed claims to this call? What I'm imagining is:
>>>>>>
>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>>> Bearer $TOKEN" -d '{
>>>>>> "permissions" : [
>>>>>> {
>>>>>> "resource_set_name" : "Sensors",
>>>>>> "scopes" : [
>>>>>> "sensors:update"
>>>>>> ]
>>>>>> }
>>>>>> ],
>>>>>> claims: ["owner": "cdupont"]
>>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/
>>>>>> waziup"
>>>>>>
>>>>>> In this example, I would like to push the owner of the sensor
>>>>>> ("cdupont"), which I take from our own database before calling the API.
>>>>>>
>>>>>> Sorry about the questions, maybe I should just wait that the
>>>>>> documentation is merged :)
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> We have a few changes to docs that were not released because the PR
>>>>>>> [1] was not merged on time. But you can check about pushed claims (if you
>>>>>>> are using our adapters) here [2].
>>>>>>>
>>>>>>> Regards.
>>>>>>> Pedro igor
>>>>>>>
>>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402
>>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi
>>>>>>> ces/index.html#_enforcer_claim_information_point
>>>>>>>
>>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont <
>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi guys,
>>>>>>>> I'm playing with the new version of Keycloak (
>>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html)
>>>>>>>>
>>>>>>>> I have some questions:
>>>>>>>> - where is the "account management console"?
>>>>>>>> - How to use pushed claims? Which APIs are affected?
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>> Corentin
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list