[keycloak-user] UMA fine grained management in the client itself

Pedro Igor Silva psilva at redhat.com
Wed Nov 14 10:21:12 EST 2018


Hi, answers inline. In general, I need to document this endpoint
https://github.com/keycloak/keycloak/blob/5a9bfea419f37267afb656ea4bfce1ff1489384f/services/src/main/java/org/keycloak/authorization/protection/permission/PermissionTicketService.java#L57
.

On Tue, Nov 13, 2018 at 6:56 PM Pierre Nowak <pnowak.pierre at gmail.com>
wrote:

> Hello,
>
> I have difficulties finding the best way of protecting resources using
> Authorization Services or UMA.
>
> Here is the following problem:
>
> user1 creates resource/item/id1
> user2 creates resource/item/id2
>
> I want to be able in my nodejs confidential client to:
>
>    1. list users that have access to a specific item  (eg: item/id1)
>

Being the resource owner, user1 will always have access to item/id1, I
guess. To fetch other users with access to this resource after resource
owner's approval, you can use this example [1].

[1]
https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-uma-photoz/photoz-restful-api/src/main/java/org/keycloak/example/photoz/album/AlbumService.java#L101


>    2. list all resources a user has access to (not only the ones he has,
>    but also the ones other users shared with him)
>

The same as above.


>    3. permit a user to access a resource
>

The same endpoint also allows you to create permission tickets and grant
access to the resource. Best is follow UMA flow though, for privacy reasons.


>    4. remove the access of a user to a resource
>

Same endpoint as above.


>
> I saw in photoz UMA example a nice UI directly in keycloak. I would like to
> reproduce this tab directly in my client calling APIs to Keycloak. The
> reason is the tab in the account page doesnt give enough functionality for
> example if I want to join some detail about the resources that would only
> be available in my resource server.
>
> I saw the resource set api and a node package (
> https://github.com/proficonf/keycloak-authz) that tries to manage the
> resources only
> but I can't find APIs that directly handle the 4 steps I just mentioned.
>
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list