[keycloak-user] Manage Access to Resources via own App

David Sautter David.Sautter at rohde-schwarz.com
Tue Dec 10 06:19:53 EST 2019


Hello Pedro,

thank you very much, that is indeed helpful.

One thing is still missing in my picture: What is the whole URL path to the Resources Service?

Thanks!


Mit freundlichen Grüßen/ Best Regards,
David Sautter

Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter at rohde-schwarz.com<mailto:David.Sautter at rohde-schwarz.com>

Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.

If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.

Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86


From: Pedro Igor Silva <psilva at redhat.com>
Sent: Tuesday, December 10, 2019 11:35 AM
To: Sautter David 1DS5 <David.Sautter at rohde-schwarz.com>
Cc: keycloak-user at lists.jboss.org
Subject: *EXT* Re: Re: [keycloak-user] Manage Access to Resources via own App




On Tue, Dec 10, 2019 at 6:40 AM David Sautter <David.Sautter at rohde-schwarz.com<mailto:David.Sautter at rohde-schwarz.com>> wrote:
Hi Pedor,

thank you very much for your reply.

I took a look at the endpoints and now wonder what the correct URL of each of those is:

1.     show Resources shared with me:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/resources/ResourcesService.java#L87
+1


2.     show Resources shared with others (and show with whom it is shared):
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/resources/ResourcesService.java#L106

+1


3.     Query Resource with specific attribute set to a specific value (not found)
Not supported. The Account REST API provides some basic filter parameters (e.g.: name) and we have this https://www.keycloak.org/docs/latest/authorization_services/index.html#getting-permission-tickets. None of them provide support for querying based on attributes.


4.     Show waiting permission requests:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java#L169
+1

5.     Grant a new scope-based permission to another user on a specific Resource:
Both should work, but depend on what you want to do ...

is it this? https://www.keycloak.org/docs/latest/authorization_services/index.html#associating-a-permission-with-a-resource
This endpoint allows you to create permissions for user-owned resources without having to go through the whole UMA flow (using a permission ticket). It provides a "share" behavior but using different policies such as roles, group, etc. So that you can share, for instance, the user resource with a group of users, a single user, etc.

Permissions created here are automatically granted (no approval) and can be revoked by the resource owner.

or rather this? https://www.keycloak.org/docs/latest/authorization_services/index.html#creating-permission-ticket-2
This one allows you to create the UMA permissions just like you were when doing the UMA flow. It is a user-2-user sharing (differently than the other one that allows you to define different policies).

which one is associated to the waiting permission requests from 4.?
The second one. But like I said, permissions created through #1 can be *revoked* anytime by the user too.

6.     Revoke a granted permission:
correct? https://www.keycloak.org/docs/latest/authorization_services/index.html#deleting-permission-ticket
+1

It would be very nice, if you could clarify those points. Thank you very much!


Mit freundlichen Grüßen/ Best Regards,
David Sautter

Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter at rohde-schwarz.com<mailto:David.Sautter at rohde-schwarz.com>

Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.

If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.

Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86





From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Thursday, December 5, 2019 7:11 PM
To: Sautter David 1DS5 <David.Sautter at rohde-schwarz.com<mailto:David.Sautter at rohde-schwarz.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: *EXT* Re: [keycloak-user] Manage Access to Resources via own App

Hi David,

You can take a look at the work that has been done so far to the new account console, which now relies on an API [1] (documentation is a WIP) to manage resources.

From our doc side, I would suggest you to look here:

* https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_api
* https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz

[1] https://github.com/keycloak/keycloak/tree/master/services/src/main/java/org/keycloak/services/resources/account/resources

Regards.
Pedro Igor

On Thu, Dec 5, 2019 at 4:33 AM David Sautter <David.Sautter at rohde-schwarz.com<mailto:David.Sautter at rohde-schwarz.com>> wrote:
Hello,
I want to build an application, that looks like the “My-Resources” site which Keycloak provides.
It should be possible to share access to different Resources defined on different clients and also list those sharings etc.
I’m trying to find the relevant endpoints I would need to call from my application. Is there a place where I can see the exact requests that the “My-Resources” site is doing (it’s server rendered…)?

Mit freundlichen Grüßen/ Best Regards,
David Sautter

Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter at rohde-schwarz.com<mailto:David.Sautter at rohde-schwarz.com><mailto:David.Sautter at rohde-schwarz.com<mailto:David.Sautter at rohde-schwarz.com>>

Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.

If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.

Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list