Everything above the ###### I can do/did and did find documentation for it. Below the ##### is where it is murky for me.
1. Given:
User alice
and: Resource a1 (with resource scopes a1_s1, a1_s2), owned by alice
and: User bob
and: Resource server rsvr1
and: Keycloak instance as1
2. When:
bob tries to access a1_s1 from rsvr1
Then:
bob gets a 403 with a uri to as1 + permission ticket pt1 in the headers, as per UMA2
3. When:
bob tries to get an RPT from as1 for a1_s1 with pt1
Then:
bob gets a 403 - error description request_submitted
#####################################################
4. When:
alice lists resources owned by her
Then
She gets the list
5. When
alice lists resource / scope requests
Then
She gets the list
and: One item includes bob’s request for a1_s1
6. When
alice accepts / denies a request
Then
The request gets accepted / denied
7. When
alice accepted the request to a1_s1
and: bob lists resources/scopes shared with him
Then
Bob gets the list
and: One of the items in the list is a1_s1
8. When
alice revokes her earlier acceptance to a1_s1
and: bob lists resources/scopes shared with him
Then
Bob gets the list
and: a1_s1 is no longer in the list
Discussion:
For 4 - 8, inspecting the API calls made on the KC web application I see those are full HTTP page returns, not REST/JSON calls.
4 I can sort of do in the resource server by getting a PAT and then returning the list.
5 to 8 is really lost on me. I can’t find anything in the documentation