[keycloak-user] Manage Access to Resources via own App

Pedro Igor Silva psilva at redhat.com
Tue Dec 10 05:34:51 EST 2019


On Tue, Dec 10, 2019 at 6:40 AM David Sautter <
David.Sautter at rohde-schwarz.com> wrote:

> Hi Pedor,
>
>
>
> thank you very much for your reply.
>
>
>
> I took a look at the endpoints and now wonder what the correct URL of each
> of those is:
>
> 1.     show Resources shared with me:
>
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/resources/ResourcesService.java#L87
>
+1


> 2.     show Resources shared with others (and show with whom it is
> shared):
>
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/resources/ResourcesService.java#L106
>

+1


> 3.     Query Resource with specific attribute set to a specific value
> (not found)
>
Not supported. The Account REST API provides some basic filter parameters
(e.g.: name) and we have this
https://www.keycloak.org/docs/latest/authorization_services/index.html#getting-permission-tickets.
None of them provide support for querying based on attributes.


> 4.     Show waiting permission requests:
>
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java#L169
>
+1

> 5.     Grant a new scope-based permission to another user on a specific
> Resource:
>
Both should work, but depend on what you want to do ...

>
> is it this?
> https://www.keycloak.org/docs/latest/authorization_services/index.html#associating-a-permission-with-a-resource
>
This endpoint allows you to create permissions for user-owned resources
without having to go through the whole UMA flow (using a permission
ticket). It provides a "share" behavior but using different policies such
as roles, group, etc. So that you can share, for instance, the user
resource with a group of users, a single user, etc.

Permissions created here are automatically granted (no approval) and can be
revoked by the resource owner.

>
> or rather this?
> https://www.keycloak.org/docs/latest/authorization_services/index.html#creating-permission-ticket-2
>
This one allows you to create the UMA permissions just like you were when
doing the UMA flow. It is a user-2-user sharing (differently than the other
one that allows you to define different policies).

>
> which one is associated to the waiting permission requests from 4.?
>
The second one. But like I said, permissions created through #1 can be
*revoked* anytime by the user too.

> 6.     Revoke a granted permission:
> correct?
> https://www.keycloak.org/docs/latest/authorization_services/index.html#deleting-permission-ticket
>
+1

>
>
> It would be very nice, if you could clarify those points. Thank you very
> much!
>
>
>
>
>
> Mit freundlichen Grüßen/ Best Regards,
> *David Sautter*
>
> Rohde & Schwarz GmbH & Co. KG
> Postbox 80 14 69, D-81614 Muenchen
> Dept. 1DS5
>
> Fon: +49 89 4129 15256
> Email: David.Sautter at rohde-schwarz.com
>
> Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten
> Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich
> und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung,
> Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den
> beabsichtigten Adressaten ist verboten.
> Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie
> bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
>
> If you are not the intended recipient of this message, you are hereby
> notified that any dissemination, use or distribution of this message is
> unauthorized and prohibited. Please immediately notify the sender that you
> have received this mes-sage and destroy the original.
> Although this message has been checked for viruses, it is not guaranteed
> to be virus-free. You are strongly advised to perform another virus check
> of any attachment before opening it.
>
> Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender /
> Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of
> Business: München, Registereintrag / Commercial Register No.: HRA 16 270,
> Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG
> Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business:
> München, Registereintrag / Commercial Register No.: HRB 7 534,
> Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE
> 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240
> 437 86
>
>
>
>
>
>
>
>
>
>
>
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Thursday, December 5, 2019 7:11 PM
> *To:* Sautter David 1DS5 <David.Sautter at rohde-schwarz.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* *EXT* Re: [keycloak-user] Manage Access to Resources via own
> App
>
>
>
> Hi David,
>
>
>
> You can take a look at the work that has been done so far to the new
> account console, which now relies on an API [1] (documentation is a WIP) to
> manage resources.
>
>
>
> From our doc side, I would suggest you to look here:
>
>
>
> *
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_api
>
> *
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz
>
>
>
> [1]
> https://github.com/keycloak/keycloak/tree/master/services/src/main/java/org/keycloak/services/resources/account/resources
>
>
>
> Regards.
>
> Pedro Igor
>
>
>
> On Thu, Dec 5, 2019 at 4:33 AM David Sautter <
> David.Sautter at rohde-schwarz.com> wrote:
>
> Hello,
> I want to build an application, that looks like the “My-Resources” site
> which Keycloak provides.
> It should be possible to share access to different Resources defined on
> different clients and also list those sharings etc.
> I’m trying to find the relevant endpoints I would need to call from my
> application. Is there a place where I can see the exact requests that the
> “My-Resources” site is doing (it’s server rendered…)?
>
> Mit freundlichen Grüßen/ Best Regards,
> David Sautter
>
> Rohde & Schwarz GmbH & Co. KG
> Postbox 80 14 69, D-81614 Muenchen
> Dept. 1DS5
> Fon: +49 89 4129 15256
> Email: David.Sautter at rohde-schwarz.com<mailto:
> David.Sautter at rohde-schwarz.com>
>
> Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten
> Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich
> und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung,
> Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den
> beabsichtigten Adressaten ist verboten.
> Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie
> bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
>
> If you are not the intended recipient of this message, you are hereby
> notified that any dissemination, use or distribution of this message is
> unauthorized and prohibited. Please immediately notify the sender that you
> have received this mes-sage and destroy the original.
> Although this message has been checked for viruses, it is not guaranteed
> to be virus-free. You are strongly advised to perform another virus check
> of any attachment before opening it.
>
> Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender /
> Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of
> Business: München, Registereintrag / Commercial Register No.: HRA 16 270,
> Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG
> Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business:
> München, Registereintrag / Commercial Register No.: HRB 7 534,
> Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE
> 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240
> 437 86
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


More information about the keycloak-user mailing list