[keycloak-user] UMA Share Resource with a User via AuthZ Client

Christian Sandmeier Christian.Sandmeier at vivai.de
Tue Jan 8 11:57:20 EST 2019 

Hi All,

first of all Thanks for the great work. I have been using Keycloak in a
Project for a couple of Months now and really like it.

I started to try out the UMA 2.0 Flow because it would be very nice to be able to share a resource with other Users.

Given the following 4 Steps, i don't understand why the Permissions are not in the RPT token

// Code for Steps 1 and 2 taken from here
// https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java
// Code for Steps 3 and 4 taken from here
// https://www.keycloak.org/docs/latest/authorization_services/index.html#obtaining-user-entitlements


1) Creating a Resource "Resource A" with Owner "demo"

ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("demo");
resource.addScope("Scope A");

resource = getAuthzClient().protection().resource().create(resource);


2) Creating the User Permission for User "test"
UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();

newPermission.setName("User-Managed Permission");
newPermission.setDescription("User is allowed to access");
newPermission.addScope("Scope A");
newPermission.addUser("test");

ProtectionResource protection = getAuthzClient().protection("demo", "demo");
UmaPermissionRepresentation permission = protection.policy(resource.getId()).create(newPermission);


3) get a RPT for the User "test" for all Resources

AuthzClient authzClient = AuthzClient.create();
AuthorizationRequest request = new AuthorizationRequest();
AuthorizationResponse response = authzClient.authorization("test", "test").authorize(request);
String rpt = response.getToken();


4) Listing the Permissions
TokenIntrospectionResponse requestingPartyToken = authzClient.protection().introspectRequestingPartyToken(rpt);
System.out.println("Token status is: " + requestingPartyToken.getActive());
System.out.println("Permissions granted by the server: ");

for (Permission granted : requestingPartyToken.getPermissions()) {
   System.out.println(granted);
}


The Resource and Permission are saved correctly, i can correctly read them via the AuthZ Client
but now i would assume that the Permission is in the RPT of the User "test".

Is this Assumption maybe already incorrect and i got a bit lost? Or is there probably a
problem in my Code because the Permission should be listed there?
Btw. if i skip Step 2) and instead share the the Resource with the User in the "Keycloak -> My Account-> My Resources" Page, it works. But not
with the UmaPermissionRepresentation.

Thank you in Advance

Best regards,

Christian Sandmeier

More information about the keycloak-user mailing list