[keycloak-user] [keycloak-dev] How to share a resource with a user via UMA 2.0 API

Federico Michele Facca federico.facca at martel-innovate.com
Sat May 12 08:23:06 EDT 2018 

hi,

i did some tests using your example, and i don't think it is working as
expcted.

On 11 May 2018 at 18:04, Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
>>
>> Also, out of curiosity is there are a way i can list all resources i can
>> access thanks either to UMA permission or policies?
>> That would be very handful.
>>
>
> You can do that by asking all permissions. See https://www.keycloak.org/d
> ocs/latest/authorization_services/index.html#_service_obtain
> ing_permissions.
>
> There is an cURL example there similar to this:
>
> curl -X POST \
>   http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
>   -H "Authorization: Bearer ${access_token}" \
>   --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
>
>
> In the example above you are basically, saying that you want a RPT for any
> resource/scope granted to the user as a result of evaluating permissions
> associated with resources which the either the user or resource server is
> the owner. But yeah, depending on how many resources you will get a huge
> RPT which can take some time to be issued.
>


My set-up is a follows:
1. I have a policy that says that the owner of a resource is authorised
with scope read, write and delete. Such policy is attached to a resource
with a * path (e.g. /resource/*).
2. User A create a resource /resource/A
3. User A ask all permissions. He is returned he can do anything on
/resource/A

So far so good. Now it's the part that i believe is not working as i would
expect.

4. User B create a resource /resource/B
5. User B share resource B with User A
6. User A ask all permissions. He is returned he can do anything on /resource/A
but no information is returned about resource B,
    despite there is a permission granted.

It looks like User A can check if he can access resource B only if I create
a permission ticket and I specifically check that, but as a requester,
I don't know in advance if i am authorised to access a resource via UMA
ticket or via another policy.

In fact, if ask if i have read permission using the permission parameter, i
get not authorised:

curl --request POST \
  --url
http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token \
  --header 'Authorization: Bearer xxx' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data
'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&permission=da2fdbf6-076e-4716-8b91-2c7feeda8bee%23read&audience=test'

while if i create a ticket for that resource with permission read, i get
authorised.

It looks like when asking permissions, UMA permissions and policy based
permissions are kept totally separated, which i don't think it should be
the case.
If not knowing which resources you can access becomes super complex.

Federico

-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

More information about the keycloak-user mailing list