[keycloak-user] Authorization transfer
Corentin Dupont
corentin.dupont at gmail.com
Mon Nov 20 06:10:19 EST 2017
Thanks for the answer.
My plan is to make authorizations based on groups of resources, that we
call "domains".
Basically, when a user creates a resource, he can decide to put it in an
existing domain.
The URL reflects that domain:
http://www.example.com/api/v1/domains/mydomain/houses/myhouse
The user can also create domains with the domains endpoint:
POST http://www.example.com/api/v1/domains/
What is not clear for me is how users can get access to domains.
Probably users can have an attribute "domains", with the list of domains
they have access to?
Or should a domain be represented in Keycloak as a resource?
In this case, should we create roles to access that domain?
For example, the role "admin-mydomain" ?
Or should it be implemented with user groups in Keycloak? Or with User
policies?
On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
> Right now you can't do it. This is all about the work we are doing to
> better support UMA protocol. Soon you'll be able to let your users to
> manage their resources (and their policies) from Keycloak Account Service,
> grant and revoke access to other users, authorization flows. We are really
> missing this.
>
> However, I think you can try to use the Policy Management API. It provides
> a RESTful API that you can use to manage permissions and policies. As an
> example https://github.com/pedroigor/keycloak/blob/
> cedc095a9c50a1d16482acbbc9876de1730c9fb1/testsuite/
> integration-arquillian/tests/base/src/test/java/org/
> keycloak/testsuite/admin/client/authorization/
> UserPolicyManagementTest.java. There are other tests in the same package
> for other permission and policy types.
>
> Please, let me know about your achievements if you start doing something
> with the Policy Management API. Any feedback is welcome and will probably
> help with the work I mentioned before around UMA.
>
> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi guys,
>> is it possible for an application user to grant some authorizations to
>> another user?
>> For example in the photoz example, how can I give access to my albums to
>> another user?
>> What would be the mechanism?
>>
>> Thanks a lot
>> Corentin
>>
>
>
More information about the keycloak-user
mailing list