We currently use keycloak to protect data resources created and managed by various microservices. Keycloak resources are owned by the service client, with scopes granted to users via user policies. We are looking to allow users to share scopes directly with other users and we are evaluating Keycloak 4 with UMA 2.0 permissions to accomplish this..
It appears we cannot use UMA 2.0 to dynamically grant scopes to resources owned by a service client however. The permission ticketing succeeds when granting a service-client-owned resource scope to a user. However when evaluating permissions, keycloak's PolicyEvaluationService breaks when trying to get the identity of the service client. Specifically, PolicyEvaluationResponseBuilder.toRepresentation(...) returns a null owner @197:
Eventually, getting the owner name/email throws an NPE, and is caught and translated to an evaluation error:
And any subsequent permission evaluations for that resource will similarly fail, regardless of the user the permissions are evaluated for. The remedy for the moment is to simply delete the offending permission ticket.
UMA perms for service client owned resources seems mostly functional, presuming this is a use case keycloak wants to support.