Authorization REST API Documentation

[David Buhler]

I do not see any documentation around the authorization services for resource servers in the REST API docs:

https://www.keycloak.org/docs-api/12.0/rest-api/

I've been trying to capture network requests and comb through the code interfaces but this is quite cumbersome.

Kind regards,

David

[Garth]

https://www.keycloak.org/docs/latest/authorization_services/#_service_overview

> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/89bd0430-a5c1-4c85-bf35-0b64bfcc4addn%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/89bd0430-a5c1-4c85-bf35-0b64bfcc4addn%40googlegroups.com?utm_medium=email&utm_source=footer>.

[David Buhler]

Thank you for the link, but I believe that document is incomplete. It provides a basic description of how the API may be used, but an API should be well defined through interface contracts. Many of these are backed by the UMA standard, but as far as I can tell there are sort of Keycloak specific APIs for assigning policies and permissions. 

[Garth]

As far as I've found, that is the only documentation available. I have asked this mailing list and the Keycloak discourse for resources, documentation and examples of Authorization Services use cases, and have generally come up nil. While powerful (at least from what I have figured out), it appears to be a somewhat neglected corner of Keycloak from a documentation and example perspective.

> https://groups.google.com/d/msgid/keycloak-user/9318869c-4ef2-4585-8e5a-a7bcc71d7545n%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/9318869c-4ef2-4585-8e5a-a7bcc71d7545n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Pedro Igor Craveiro e Silva]

You are right, it is an area we need to improve. Probably through OpenAPI.

We are missing docs for those endpoints. We have this https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_uma_policy_api.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/051d17d3-18f2-43e0-b31a-883af80e4fb9%40www.fastmail.com.

[Garth]

Thanks Pedro!

I’d love to see a comprehensive example if one is available to share. For my part, I learn best from examples.

> > > an email to keycloak-use...@googlegroups.com <mailto:keycloak-user%2Bunsu...@googlegroups.com>.

> > > To view this discussion on the web visit
> > > https://groups.google.com/d/msgid/keycloak-user/9318869c-4ef2-4585-8e5a-a7bcc71d7545n%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/9318869c-4ef2-4585-8e5a-a7bcc71d7545n%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Keycloak User" group.

> > To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com <mailto:keycloak-user%2Bunsu...@googlegroups.com>.

[Pedro Igor Craveiro e Silva]

Could you tell me what examples and use cases you want there? So I can prepare something.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/0bdc4fbd-0a30-4134-b2ff-8cb648388b09%40www.fastmail.com.

[David Buhler]

For my part, I'd like to see examples for how resources, policies (user, group and role) and permissions (scope and resource) are created.

Using OpenAPI spec for the API definitions would be a very positive improvement. There are a lot of tools around this spec that make consuming the API easier without having to use official SDKs.

Thanks.

[Pedro Igor Craveiro e Silva]

On Wed, May 5, 2021 at 11:58 AM David Buhler <buh...@blackduckcloud.com> wrote:

For my part, I'd like to see examples for how resources, policies (user, group and role) and permissions (scope and resource) are created.

In regards to resource management, we have some examples using the Protection API. See. https://www.keycloak.org/docs/latest/authorization_services/#_service_protection_api.

But if you are more interested in the Admin API instead, then we have nothing.

The same goes for policies, to which we have some examples. See https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_uma_policy_api. But we don't have anything related to the Admin API.

So, I guess the examples and doc you are looking for are related to the admin api?

 

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/ce0f07a9-811d-42e4-9b27-acaf53ae5f08n%40googlegroups.com.

[David Buhler]

Yes, I am interested in the Admin API. Perhaps even a definition of the Protection API as well -- examples are good but it'd be nice to have a formal definition of the API to understand things like:

* Field information (name, type, requirements)

* Response codes

* Error conditions

The UMA protocol standard doesn't seem to be opinionated on the permission or policy APIs. Having implementation details from Keycloak would be great.

Thanks,

David

[Pedro Igor Craveiro e Silva]

I see. I've created https://issues.redhat.com/browse/KEYCLOAK-18093.

Are you using Java? Perhaps you can look at the Java Admin Client API? See https://www.keycloak.org/docs/latest/server_development/#example-using-java.

Not yet the solution (it also lacks doc), but it should help a lot when managing authorization settings for a client. You should expect all endpoints there.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/f1531895-ce54-4131-a958-cad2d758288bn%40googlegroups.com.