[keycloak-user] Keycloak 4

Federico Michele Facca federico.facca at martel-innovate.com
Wed Jun 27 11:54:21 EDT 2018 

hi corentin,

long time!

On 27 June 2018 at 17:21, Corentin Dupont <corentin.dupont at gmail.com> wrote:

> That's great, I was able to "share" a resource in my account console.
> As a keycloak admin, where to see all the sharings performed by users?
>

that's not possible in ui, you can anyhow run a query to the api.


>
> Also, how to take into account this sharing in permission evaluation?
> Should I write specific policies to take into resource sharing?
> For instance, I have a javascript policy to authorize the resource owner to
> access his resource.
> Should I write a "is shared with you" policy?
>
>
>
no, you don't :) UMA policies (so resource sharing by user) have priority
on any other admin defined policy.

Pedro can correct me if I am wrong :)

Cheers,
Fede


>
>
>
> On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
> > Think we are missing this in docs :)
> >
> > You need to enable "User-Managed Access" in Realm Settings (General tab).
> >
> > On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont <
> > corentin.dupont at gmail.com> wrote:
> >
> >> OK, interesting: I didn't know about this console :)
> >> I can access it with my "test" user, but I don't see the "My Resources"
> >> menu entry (see screenshot).
> >> I created some resources owned by that user (using the API). But they
> >> don't show up.
> >> What did I missed?
> >>
> >> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva <psilva at redhat.com>
> >> wrote:
> >>
> >>> Yeah, you can access those claims in a JS policy.
> >>>
> >>> Regarding the "account management console" take a look here:
> >>> https://www.keycloak.org/docs/latest/authorization_ser
> >>> vices/index.html#_service_authorization_api_aapi.
> >>>
> >>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont <
> >>> corentin.dupont at gmail.com> wrote:
> >>>
> >>>> Ok, I see the "claim_token" parameter in the request.
> >>>> I guess you can retrieve those claims in a javascript rule, from the
> >>>> evaluation context.
> >>>>
> >>>> By the way, I still cannot figure out where is the "account management
> >>>> console", where user can manager users access (as per the release
> notes)??
> >>>>
> >>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva <psilva at redhat.com>
> >>>> wrote:
> >>>>
> >>>>> The new form of obtaining entitlements relies solely on the token
> >>>>> endpoint just like when you are obtaining access tokens using other
> OAuth2
> >>>>> grant types. With that in mind the new format of the request should
> be a
> >>>>> HTTP POST + parameters. Check this documentation [1] for more
> details.
> >>>>>
> >>>>> Regarding pushing claims to your policies, there is a specific HTTP
> >>>>> parameter that you can use to pass a Base64 encoded JSON with the
> claims
> >>>>> you want to push.
> >>>>>
> >>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi
> >>>>> ces/index.html#_service_obtaining_permissions
> >>>>>
> >>>>>
> >>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont <
> >>>>> corentin.dupont at gmail.com> wrote:
> >>>>>
> >>>>>> Thanks Pedro, I went through the pull request.
> >>>>>> I'm not sure how to modify my entitlement requests?
> >>>>>> For example I have:
> >>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
> >>>>>> Bearer $TOKEN" -d '{
> >>>>>>     "permissions" : [
> >>>>>>         {
> >>>>>>             "resource_set_name" : "Sensors",
> >>>>>>             "scopes" : [
> >>>>>>                 "sensors:update"
> >>>>>>             ]
> >>>>>>         }
> >>>>>>     ]
> >>>>>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/
> >>>>>> waziup"
> >>>>>>
> >>>>>> This call has been moved to uma-2, right?
> >>>>>> Can I add pushed claims to this call? What I'm imagining is:
> >>>>>>
> >>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
> >>>>>> Bearer $TOKEN" -d '{
> >>>>>>     "permissions" : [
> >>>>>>         {
> >>>>>>             "resource_set_name" : "Sensors",
> >>>>>>             "scopes" : [
> >>>>>>                 "sensors:update"
> >>>>>>             ]
> >>>>>>         }
> >>>>>>     ],
> >>>>>>     claims: ["owner": "cdupont"]
> >>>>>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/
> >>>>>> waziup"
> >>>>>>
> >>>>>> In this example, I would like to push the owner of the sensor
> >>>>>> ("cdupont"), which I take from our own database before calling the
> API.
> >>>>>>
> >>>>>> Sorry about the questions, maybe I should just wait that the
> >>>>>> documentation is merged :)
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva <
> psilva at redhat.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> We have a few changes to docs that were not released because the PR
> >>>>>>> [1] was not merged on time. But you can check about pushed claims
> (if you
> >>>>>>> are using our adapters) here [2].
> >>>>>>>
> >>>>>>> Regards.
> >>>>>>> Pedro igor
> >>>>>>>
> >>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402
> >>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi
> >>>>>>> ces/index.html#_enforcer_claim_information_point
> >>>>>>>
> >>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont <
> >>>>>>> corentin.dupont at gmail.com> wrote:
> >>>>>>>
> >>>>>>>> Hi guys,
> >>>>>>>> I'm playing with the new version of Keycloak (
> >>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html)
> >>>>>>>>
> >>>>>>>> I have some questions:
> >>>>>>>> - where is the "account management console"?
> >>>>>>>> - How to use pushed claims? Which APIs are affected?
> >>>>>>>>
> >>>>>>>> Thanks!
> >>>>>>>> Corentin
> >>>>>>>> _______________________________________________
> >>>>>>>> keycloak-user mailing list
> >>>>>>>> keycloak-user at lists.jboss.org
> >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

More information about the keycloak-user mailing list