[keycloak-user] UMA and large resource sets

Pedro Igor Silva psilva at redhat.com
Wed Aug 21 14:51:45 EDT 2019


Sorry, regarding the API documentation we have this section in docs
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_permission_api_papi
.

On Wed, Aug 21, 2019 at 3:50 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> You may be interested in the discussions [1] we had in the past with the
> community about data filtering/security. It should give you an idea about
> what we are missing and how to extend some of our capabilities to filter
> data on your application based on the permissions granted by Keycloak.
>
> It seems you can benefit from "pushed claims" in order to communicate a
> filter from your policies to your application so that you filter
> (dynamically) resources based on the user making a request. For the second
> part where you want to obtain shared resources, you could take a look at
> this quickstart [2]. Unfortunately, we don't have the API that allows you
> to manage shared resources documented.
>
> [1]
> https://lists.jboss.org/pipermail/keycloak-user/2018-November/016083.html
> [2]
> https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-photoz/photoz-restful-api/src/main/java/org/keycloak/example/photoz/album/AlbumService.java#L101
>
> Regards.
> Pedro Igor
>
> On Wed, Aug 21, 2019 at 8:14 AM Asbjørn Dyhrberg Thegler <
> asbjoern at gmail.com> wrote:
>
>> Hello there,
>>
>> I am implementing a Node.js resource server and I currently struggle with
>> figuring out how to let a user list all their resources from a specifict
>> resource set.
>>
>> For example, a user can GET /activities and get all their own activities,
>> but not other users. I am not certain of how to create a UMA permission
>> ticket for that request, since don't already know the IDs of the users
>> activities. Further, the user could have access to other users activities
>> through resource sharing. This list is potentially very large, (as in
>> thousands of IDs), and I don't imagine putting that large a JWT in a
>> header
>> is a good idea either.
>>
>> What is the recommended way to handle this?
>>
>> I am wondering if I should let the resource server itself query KeyCloak
>> for a list of IDs for all its own activities and activities shared with
>> the
>> user - but I can't seem to figure out what API endpoint that lets me do
>> this in KeyCloak 6.0.1, since the Entitlement API has been deprecated.
>>
>> Thanks for your help, I really enjoy working with KeyCloak so far. :)
>>
>> Regards, Asbjørn
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


More information about the keycloak-user mailing list