diff --git a/adapters/oidc/js/src/main/resources/keycloak-authz.d.ts b/adapters/oidc/js/src/main/resources/keycloak-authz.d.ts
index c7e0b2f..0cabfc4 100644
--- a/adapters/oidc/js/src/main/resources/keycloak-authz.d.ts
+++ b/adapters/oidc/js/src/main/resources/keycloak-authz.d.ts
@@ -18,7 +18,7 @@
* WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
-import * as Keycloak from 'keycloak';
+import * as Keycloak from './keycloak';
export as namespace KeycloakAuthorization;
@@ -35,6 +35,64 @@ declare namespace KeycloakAuthorization {
then(onGrant: (rpt: string) => void, onDeny: () => void, onError: () => void): void;
}
+ interface AuthorizationRequest {
+ /**
+ * An array of objects representing the resource and scopes.
+ */
+ permissions?:ResourcePermission[],
+
+ /**
+ * A permission ticket obtained from a resource server when using UMA authorization protocol.
+ */
+ ticket?:string,
+
+ /**
+ * A boolean value indicating whether the server should create permission requests to the resources
+ * and scopes referenced by a permission ticket. This parameter will only take effect when used together
+ * with the ticket parameter as part of a UMA authorization process.
+ */
+ submitRequest?:boolean,
+
+ /**
+ * Defines additional information about this authorization request in order to specify how it should be processed
+ * by the server.
+ */
+ metadata?:AuthorizationRequestMetadata,
+
+ /**
+ * Defines whether or not this authorization request should include the current RPT. If set to true, the RPT will
+ * be sent and permissions in the current RPT will be included in the new RPT. Otherwise, only the permissions referenced in this
+ * authorization request will be granted in the new RPT.
+ */
+ incrementalAuthorization?:boolean
+ }
+
+ interface AuthorizationRequestMetadata {
+ /**
+ * A boolean value indicating to the server if resource names should be included in the RPT’s permissions.
+ * If false, only the resource identifier is included.
+ */
+ responseIncludeResourceName?:any,
+
+ /**
+ * An integer N that defines a limit for the amount of permissions an RPT can have. When used together with
+ * rpt parameter, only the last N requested permissions will be kept in the RPT.
+ */
+ response_permissions_limit?:number
+ }
+
+ interface ResourcePermission {
+ /**
+ * The id or name of a resource.
+ */
+ id:string,
+
+ /**
+ * An array of strings where each value is the name of a scope associated with the resource.
+ */
+ scopes?:string[]
+ }
+
interface KeycloakAuthorizationInstance {
rpt: any;
config: { rpt_endpoint: string };
@@ -42,18 +100,23 @@ declare namespace KeycloakAuthorization {
init(): void;
/**
- * This method enables client applications to better integrate with resource servers protected by a Keycloak
- * policy enforcer.
- *
- * In this case, the resource server will respond with a 401 status code and a WWW-Authenticate header holding the
- * necessary information to ask a Keycloak server for authorization data using both UMA and Entitlement protocol,
- * depending on how the policy enforcer at the resource server was configured.
- */
- authorize(wwwAuthenticateHeader: string): KeycloakAuthorizationPromise;
+ * This method enables client applications to better integrate with resource servers protected by a Keycloak
+ * policy enforcer using UMA protocol.
+ *
+ * The authorization request must be provided with a ticket.
+ *
+ * @param authorizationRequest An AuthorizationRequest instance with a valid permission ticket set.
+ * @returns A promise to set functions to be invoked on grant, deny or error.
+ */
+ authorize(authorizationRequest: AuthorizationRequest): KeycloakAuthorizationPromise;
/**
* Obtains all entitlements from a Keycloak server based on a given resourceServerId.
+ *
+ * @param resourceServerId The id (client id) of the resource server to obtain permissions from.
+ * @param authorizationRequest An AuthorizationRequest instance.
+ * @returns A promise to set functions to be invoked on grant, deny or error.
*/
- entitlement(resourceServerId: string, entitlementRequest: {}): KeycloakAuthorizationPromise;
+ entitlement(resourceServerId: string, authorizationRequest?: AuthorizationRequest): KeycloakAuthorizationPromise;
}
}
diff --git a/adapters/oidc/js/src/main/resources/keycloak-authz.js b/adapters/oidc/js/src/main/resources/keycloak-authz.js
index 5237273..aa71872 100644
--- a/adapters/oidc/js/src/main/resources/keycloak-authz.js
+++ b/adapters/oidc/js/src/main/resources/keycloak-authz.js
@@ -41,11 +41,9 @@
/**
* This method enables client applications to better integrate with resource servers protected by a Keycloak
- * policy enforcer.
+ * policy enforcer using UMA protocol.
*
- * In this case, the resource server will respond with a 401 status code and a WWW-Authenticate header holding the
- * necessary information to ask a Keycloak server for authorization data using both UMA and Entitlement protocol,
- * depending on how the policy enforcer at the resource server was configured.
+ * The authorization request must be provided with a ticket.
*/
this.authorize = function (authorizationRequest) {
this.then = function (onGrant, onDeny, onError) {
@@ -205,6 +203,8 @@
};
this.init(this);
+
+ return this;
};
if ( typeof module === "object" && module && typeof module.exports === "object" ) {
