[keycloak-user] Keycloak 4
Pedro Igor Silva
psilva at redhat.com
Wed Jun 27 12:02:55 EDT 2018
+1
On Wed, Jun 27, 2018 at 12:54 PM, Federico Michele Facca <
federico.facca at martel-innovate.com> wrote:
> hi corentin,
>
> long time!
>
> On 27 June 2018 at 17:21, Corentin Dupont <corentin.dupont at gmail.com>
> wrote:
>
>> That's great, I was able to "share" a resource in my account console.
>> As a keycloak admin, where to see all the sharings performed by users?
>>
>
> that's not possible in ui, you can anyhow run a query to the api.
>
>
>>
>> Also, how to take into account this sharing in permission evaluation?
>> Should I write specific policies to take into resource sharing?
>> For instance, I have a javascript policy to authorize the resource owner
>> to
>> access his resource.
>> Should I write a "is shared with you" policy?
>>
>>
>>
> no, you don't :) UMA policies (so resource sharing by user) have priority
> on any other admin defined policy.
>
> Pedro can correct me if I am wrong :)
>
> Cheers,
> Fede
>
>
>>
>>
>>
>> On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>> > Think we are missing this in docs :)
>> >
>> > You need to enable "User-Managed Access" in Realm Settings (General
>> tab).
>> >
>> > On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont <
>> > corentin.dupont at gmail.com> wrote:
>> >
>> >> OK, interesting: I didn't know about this console :)
>> >> I can access it with my "test" user, but I don't see the "My Resources"
>> >> menu entry (see screenshot).
>> >> I created some resources owned by that user (using the API). But they
>> >> don't show up.
>> >> What did I missed?
>> >>
>> >> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva <psilva at redhat.com>
>> >> wrote:
>> >>
>> >>> Yeah, you can access those claims in a JS policy.
>> >>>
>> >>> Regarding the "account management console" take a look here:
>> >>> https://www.keycloak.org/docs/latest/authorization_ser
>> >>> vices/index.html#_service_authorization_api_aapi.
>> >>>
>> >>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont <
>> >>> corentin.dupont at gmail.com> wrote:
>> >>>
>> >>>> Ok, I see the "claim_token" parameter in the request.
>> >>>> I guess you can retrieve those claims in a javascript rule, from the
>> >>>> evaluation context.
>> >>>>
>> >>>> By the way, I still cannot figure out where is the "account
>> management
>> >>>> console", where user can manager users access (as per the release
>> notes)??
>> >>>>
>> >>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva <psilva at redhat.com
>> >
>> >>>> wrote:
>> >>>>
>> >>>>> The new form of obtaining entitlements relies solely on the token
>> >>>>> endpoint just like when you are obtaining access tokens using other
>> OAuth2
>> >>>>> grant types. With that in mind the new format of the request should
>> be a
>> >>>>> HTTP POST + parameters. Check this documentation [1] for more
>> details.
>> >>>>>
>> >>>>> Regarding pushing claims to your policies, there is a specific HTTP
>> >>>>> parameter that you can use to pass a Base64 encoded JSON with the
>> claims
>> >>>>> you want to push.
>> >>>>>
>> >>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi
>> >>>>> ces/index.html#_service_obtaining_permissions
>> >>>>>
>> >>>>>
>> >>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont <
>> >>>>> corentin.dupont at gmail.com> wrote:
>> >>>>>
>> >>>>>> Thanks Pedro, I went through the pull request.
>> >>>>>> I'm not sure how to modify my entitlement requests?
>> >>>>>> For example I have:
>> >>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>> >>>>>> Bearer $TOKEN" -d '{
>> >>>>>> "permissions" : [
>> >>>>>> {
>> >>>>>> "resource_set_name" : "Sensors",
>> >>>>>> "scopes" : [
>> >>>>>> "sensors:update"
>> >>>>>> ]
>> >>>>>> }
>> >>>>>> ]
>> >>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/
>> >>>>>> waziup"
>> >>>>>>
>> >>>>>> This call has been moved to uma-2, right?
>> >>>>>> Can I add pushed claims to this call? What I'm imagining is:
>> >>>>>>
>> >>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>> >>>>>> Bearer $TOKEN" -d '{
>> >>>>>> "permissions" : [
>> >>>>>> {
>> >>>>>> "resource_set_name" : "Sensors",
>> >>>>>> "scopes" : [
>> >>>>>> "sensors:update"
>> >>>>>> ]
>> >>>>>> }
>> >>>>>> ],
>> >>>>>> claims: ["owner": "cdupont"]
>> >>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/
>> >>>>>> waziup"
>> >>>>>>
>> >>>>>> In this example, I would like to push the owner of the sensor
>> >>>>>> ("cdupont"), which I take from our own database before calling the
>> API.
>> >>>>>>
>> >>>>>> Sorry about the questions, maybe I should just wait that the
>> >>>>>> documentation is merged :)
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva <
>> psilva at redhat.com>
>> >>>>>> wrote:
>> >>>>>>
>> >>>>>>> Hi,
>> >>>>>>>
>> >>>>>>> We have a few changes to docs that were not released because the
>> PR
>> >>>>>>> [1] was not merged on time. But you can check about pushed claims
>> (if you
>> >>>>>>> are using our adapters) here [2].
>> >>>>>>>
>> >>>>>>> Regards.
>> >>>>>>> Pedro igor
>> >>>>>>>
>> >>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402
>> >>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi
>> >>>>>>> ces/index.html#_enforcer_claim_information_point
>> >>>>>>>
>> >>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont <
>> >>>>>>> corentin.dupont at gmail.com> wrote:
>> >>>>>>>
>> >>>>>>>> Hi guys,
>> >>>>>>>> I'm playing with the new version of Keycloak (
>> >>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html)
>> >>>>>>>>
>> >>>>>>>> I have some questions:
>> >>>>>>>> - where is the "account management console"?
>> >>>>>>>> - How to use pushed claims? Which APIs are affected?
>> >>>>>>>>
>> >>>>>>>> Thanks!
>> >>>>>>>> Corentin
>> >>>>>>>> _______________________________________________
>> >>>>>>>> keycloak-user mailing list
>> >>>>>>>> keycloak-user at lists.jboss.org
>> >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>
>> >>>>
>> >>>
>> >>
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/> - Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>
More information about the keycloak-user
mailing list