[keycloak-user] UMA 2.0 permissions for service client owned resources

Gary Schulte gary.schulte at opengov.com
Wed Jun 27 17:07:43 EDT 2018 

Created https://issues.jboss.org/browse/KEYCLOAK-7726

Thx

On Wed, Jun 27, 2018 at 6:52 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> This is a scenario we don't support and we need to handle this properly
> instead of throwing those errors.
>
> Currently, user-managed access is based on users granting access to their
> resources whe these users are set as the resource owner. Could you open a
> RFE in JIRA with more details about your use case ?
>
> Regards.
> Pedro Igor
>
>
> On Tue, Jun 26, 2018 at 9:20 PM, Gary Schulte <gary.schulte at opengov.com>
> wrote:
>
>> Another interesting data point, if I create a uma permission ticket for a
>> service-client-owned resource, it breaks not only the authorization
>> evaluation for that resource, but all authorization evaluations - until I
>> delete the permission ticket.
>>
>> On Tue, Jun 26, 2018 at 2:19 PM, Gary Schulte <gary.schulte at opengov.com>
>> wrote:
>>
>> > Hello all,
>> >
>> > I have some criteria for resource scope sharing that I am trying to
>> > reconcile.  We are using keycloak to protect data resources.  The data
>> > resources are created with a corresponding keycloak resource and scopes.
>> > These resources are logically owned by the resource creator, but we
>> want to
>> > have the resources technically owned by the service client for a couple
>> > reasons:
>> >
>> >  * resources may be created by CS and "transitioned" to users
>> >  * resources created by users who leave the organization should not be
>> > orphaned
>> >
>> > To accomplish this we have an owner scope which is a proxy for the
>> actual
>> > resource ownership, and the service client actually owns all of the
>> > resources.
>> >
>> > However, we want to allow users to share scopes dynamically.  We are
>> > looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this
>> > sharing, and intend to continue to use policies for our administrative
>> RBAC
>> > scenarios.
>> >
>> > In testing, I have been able to grant and revoke permissions using the
>> > permission ticketing for service-client-owned resources.  However when I
>> > attempt to use the evaluation console to verify the behavior, I get a
>> 500
>> > error (and no logging on the keycloak side):
>> >
>> >   {"error":"server_error","error_description":"Error while evaluating
>> > permissions."}
>> >
>> > Are UMA 2.0 permissions for service client owned resources a supported
>> use
>> > case?
>> >
>> > TIA
>> >
>> > Gary Schulte
>> >
>>
>

More information about the keycloak-user mailing list