support parameters like "uri" and "matchingUri" in the UMA grant token endpoint

[y-tabata]

Description

Currently, the Authorization service returns not only RPT (including the whole list of permissions) but also can return only decisions like {'result': true} if response_mode = decision is specified in the UMA grant token request. To do so, clients need to send the token request with "rsid" in its permission parameter. The "rsid" is a unique ID Keycloak decided, so clients need to get "rsid" by calling resource_set API with something like PAT.
We'd like to avoid this extra communication. So we propose to support parameters like "uri" and "matchingUri" in the UMA grant token endpoint.
WDYT?

Discussion

No response

Motivation

No response

Details

No response

[coreyperkins]

@y-tabata I have a use case for this as well.

I am updating a dotnet API to use Keycloak for authorization. My current implementation is based off of one of the popular dotnet sdks for Keycloak. I store Resource & Scope on a custom attribute on each endpoint. Then, at run-time, Resource & Scope are snagged off of the custom attribute and used in the uma request to get a decision like so : {Resource}#{Scope}. This works and it's a simple solution but I would love to be able to do away with as much code as possible.

My think is that when making the uma request if I could pass URI instead of Resource Name I could avoid having to decorate my endpoints with Resource & Scope. On the Keycloak side this would require a look up to match the URI to a Resource on the uma request. Also, in this scenario I believe I could base my scopes on URI + HttpMethod as well.

Overall, this would make integration with dotnet apps very, very lean. As it could with apps built in golang or nodejs.

Looking forward to feedback.

Thanks!

Corey

[renanalvesdasilvadevkabum]

Hello!

I'm interested in this feature, when will it be released?