[keycloak-user] Manage Access to Resources via own App

Pedro Igor Silva psilva at redhat.com
Tue Dec 10 14:27:44 EST 2019


It should be `/{realm}/account/resources`. The API is under development
though and I'm not sure if we have documented how to enable it.

AFAIK, you need to start your server with the
`keycloak.profile.feature.account_api` feature.

But as we discussed, all the functionality you are looking for can also be
achieved through the other option.

On Tue, Dec 10, 2019 at 8:20 AM David Sautter <
David.Sautter at rohde-schwarz.com> wrote:

> Hello Pedro,
>
>
>
> thank you very much, that is indeed helpful.
>
>
>
> One thing is still missing in my picture: What is the whole URL path to
> the Resources Service?
>
>
>
> Thanks!
>
>
>
>
>
> Mit freundlichen Grüßen/ Best Regards,
> *David Sautter*
>
> Rohde & Schwarz GmbH & Co. KG
> Postbox 80 14 69, D-81614 Muenchen
> Dept. 1DS5
>
> Fon: +49 89 4129 15256
> Email: David.Sautter at rohde-schwarz.com
>
> Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten
> Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich
> und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung,
> Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den
> beabsichtigten Adressaten ist verboten.
> Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie
> bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
>
> If you are not the intended recipient of this message, you are hereby
> notified that any dissemination, use or distribution of this message is
> unauthorized and prohibited. Please immediately notify the sender that you
> have received this mes-sage and destroy the original.
> Although this message has been checked for viruses, it is not guaranteed
> to be virus-free. You are strongly advised to perform another virus check
> of any attachment before opening it.
>
> Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender /
> Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of
> Business: München, Registereintrag / Commercial Register No.: HRA 16 270,
> Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG
> Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business:
> München, Registereintrag / Commercial Register No.: HRB 7 534,
> Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE
> 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240
> 437 86
>
>
>
>
>
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, December 10, 2019 11:35 AM
> *To:* Sautter David 1DS5 <David.Sautter at rohde-schwarz.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* *EXT* Re: Re: [keycloak-user] Manage Access to Resources via
> own App
>
>
>
>
>
>
>
>
>
> On Tue, Dec 10, 2019 at 6:40 AM David Sautter <
> David.Sautter at rohde-schwarz.com> wrote:
>
> Hi Pedor,
>
>
>
> thank you very much for your reply.
>
>
>
> I took a look at the endpoints and now wonder what the correct URL of each
> of those is:
>
> 1.     show Resources shared with me:
>
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/resources/ResourcesService.java#L87
>
> +1
>
>
>
> 2.     show Resources shared with others (and show with whom it is
> shared):
>
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/resources/ResourcesService.java#L106
>
>
>
> +1
>
>
>
> 3.     Query Resource with specific attribute set to a specific value
> (not found)
>
> Not supported. The Account REST API provides some basic filter parameters
> (e.g.: name) and we have this
> https://www.keycloak.org/docs/latest/authorization_services/index.html#getting-permission-tickets.
> None of them provide support for querying based on attributes.
>
>
>
> 4.     Show waiting permission requests:
>
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java#L169
>
> +1
>
> 5.     Grant a new scope-based permission to another user on a specific
> Resource:
>
> Both should work, but depend on what you want to do ...
>
>
> is it this?
> https://www.keycloak.org/docs/latest/authorization_services/index.html#associating-a-permission-with-a-resource
>
> This endpoint allows you to create permissions for user-owned resources
> without having to go through the whole UMA flow (using a permission
> ticket). It provides a "share" behavior but using different policies such
> as roles, group, etc. So that you can share, for instance, the user
> resource with a group of users, a single user, etc.
>
>
>
> Permissions created here are automatically granted (no approval) and can
> be revoked by the resource owner.
>
>
> or rather this?
> https://www.keycloak.org/docs/latest/authorization_services/index.html#creating-permission-ticket-2
>
> This one allows you to create the UMA permissions just like you were when
> doing the UMA flow. It is a user-2-user sharing (differently than the other
> one that allows you to define different policies).
>
>
> which one is associated to the waiting permission requests from 4.?
>
> The second one. But like I said, permissions created through #1 can be
> *revoked* anytime by the user too.
>
> 6.     Revoke a granted permission:
> correct?
> https://www.keycloak.org/docs/latest/authorization_services/index.html#deleting-permission-ticket
>
> +1
>
>
>
> It would be very nice, if you could clarify those points. Thank you very
> much!
>
>
>
>
>
> Mit freundlichen Grüßen/ Best Regards,
> *David Sautter*
>
> Rohde & Schwarz GmbH & Co. KG
> Postbox 80 14 69, D-81614 Muenchen
> Dept. 1DS5
>
> Fon: +49 89 4129 15256
> Email: David.Sautter at rohde-schwarz.com
>
> Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten
> Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich
> und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung,
> Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den
> beabsichtigten Adressaten ist verboten.
> Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie
> bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
>
> If you are not the intended recipient of this message, you are hereby
> notified that any dissemination, use or distribution of this message is
> unauthorized and prohibited. Please immediately notify the sender that you
> have received this mes-sage and destroy the original.
> Although this message has been checked for viruses, it is not guaranteed
> to be virus-free. You are strongly advised to perform another virus check
> of any attachment before opening it.
>
> Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender /
> Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of
> Business: München, Registereintrag / Commercial Register No.: HRA 16 270,
> Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG
> Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business:
> München, Registereintrag / Commercial Register No.: HRB 7 534,
> Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE
> 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240
> 437 86
>
>
>
>
>
>
>
>
>
>
>
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Thursday, December 5, 2019 7:11 PM
> *To:* Sautter David 1DS5 <David.Sautter at rohde-schwarz.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* *EXT* Re: [keycloak-user] Manage Access to Resources via own
> App
>
>
>
> Hi David,
>
>
>
> You can take a look at the work that has been done so far to the new
> account console, which now relies on an API [1] (documentation is a WIP) to
> manage resources.
>
>
>
> From our doc side, I would suggest you to look here:
>
>
>
> *
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_api
>
> *
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz
>
>
>
> [1]
> https://github.com/keycloak/keycloak/tree/master/services/src/main/java/org/keycloak/services/resources/account/resources
>
>
>
> Regards.
>
> Pedro Igor
>
>
>
> On Thu, Dec 5, 2019 at 4:33 AM David Sautter <
> David.Sautter at rohde-schwarz.com> wrote:
>
> Hello,
> I want to build an application, that looks like the “My-Resources” site
> which Keycloak provides.
> It should be possible to share access to different Resources defined on
> different clients and also list those sharings etc.
> I’m trying to find the relevant endpoints I would need to call from my
> application. Is there a place where I can see the exact requests that the
> “My-Resources” site is doing (it’s server rendered…)?
>
> Mit freundlichen Grüßen/ Best Regards,
> David Sautter
>
> Rohde & Schwarz GmbH & Co. KG
> Postbox 80 14 69, D-81614 Muenchen
> Dept. 1DS5
> Fon: +49 89 4129 15256
> Email: David.Sautter at rohde-schwarz.com<mailto:
> David.Sautter at rohde-schwarz.com>
>
> Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten
> Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich
> und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung,
> Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den
> beabsichtigten Adressaten ist verboten.
> Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie
> bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
>
> If you are not the intended recipient of this message, you are hereby
> notified that any dissemination, use or distribution of this message is
> unauthorized and prohibited. Please immediately notify the sender that you
> have received this mes-sage and destroy the original.
> Although this message has been checked for viruses, it is not guaranteed
> to be virus-free. You are strongly advised to perform another virus check
> of any attachment before opening it.
>
> Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender /
> Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of
> Business: München, Registereintrag / Commercial Register No.: HRA 16 270,
> Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG
> Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business:
> München, Registereintrag / Commercial Register No.: HRB 7 534,
> Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE
> 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240
> 437 86
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


More information about the keycloak-user mailing list