[keycloak-user] UMA and large resource sets
Pedro Igor Silva
psilva at redhat.com
Wed Aug 21 14:50:02 EDT 2019
Hi,
You may be interested in the discussions [1] we had in the past with the
community about data filtering/security. It should give you an idea about
what we are missing and how to extend some of our capabilities to filter
data on your application based on the permissions granted by Keycloak.
It seems you can benefit from "pushed claims" in order to communicate a
filter from your policies to your application so that you filter
(dynamically) resources based on the user making a request. For the second
part where you want to obtain shared resources, you could take a look at
this quickstart [2]. Unfortunately, we don't have the API that allows you
to manage shared resources documented.
[1]
https://lists.jboss.org/pipermail/keycloak-user/2018-November/016083.html
[2]
https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-photoz/photoz-restful-api/src/main/java/org/keycloak/example/photoz/album/AlbumService.java#L101
Regards.
Pedro Igor
On Wed, Aug 21, 2019 at 8:14 AM Asbjørn Dyhrberg Thegler <asbjoern at gmail.com>
wrote:
> Hello there,
>
> I am implementing a Node.js resource server and I currently struggle with
> figuring out how to let a user list all their resources from a specifict
> resource set.
>
> For example, a user can GET /activities and get all their own activities,
> but not other users. I am not certain of how to create a UMA permission
> ticket for that request, since don't already know the IDs of the users
> activities. Further, the user could have access to other users activities
> through resource sharing. This list is potentially very large, (as in
> thousands of IDs), and I don't imagine putting that large a JWT in a header
> is a good idea either.
>
> What is the recommended way to handle this?
>
> I am wondering if I should let the resource server itself query KeyCloak
> for a list of IDs for all its own activities and activities shared with the
> user - but I can't seem to figure out what API endpoint that lets me do
> this in KeyCloak 6.0.1, since the Entitlement API has been deprecated.
>
> Thanks for your help, I really enjoy working with KeyCloak so far. :)
>
> Regards, Asbjørn
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list