[keycloak-user] Authorization transfer

Pedro Igor Silva psilva at redhat.com
Tue Nov 21 07:51:29 EST 2017

Resources have a *type* field that can be used to group resources.
Permissions granted to a "typed resource" (which is created with the
resource server itself as the owner) applies to any other resource with the
same type and owned by an user. Think about a "typed resource" as a
general/parent resource.

If you have a "mydomain" typed resource and a "myhouse" resource, sharing
the same type, any permission you apply to "mydomain" is going to be
applied to "myhouse".

Does it makes sense ?

On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <corentin.dupont at gmail.com>

> Thanks for the answer.
> My plan is to make authorizations based on groups of resources, that we
> call "domains".
> Basically, when a user creates a resource, he can decide to put it in an
> existing domain.
> The URL reflects that domain:
> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
> The user can also create domains with the domains endpoint:
> POST http://www.example.com/api/v1/domains/
> What is not clear for me is how users can get access to domains.
> Probably users can have an attribute "domains", with the list of domains
> they have access to?
> Or should a domain be represented in Keycloak as a resource?
> In this case, should we create roles to access that domain?
> For example, the role "admin-mydomain" ?
> Or should it be implemented with user groups in Keycloak? Or with User
> policies?
> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>> Right now you can't do it. This is all about the work we are doing to
>> better support UMA protocol. Soon you'll be able to let your users to
>> manage their resources (and their policies) from Keycloak Account Service,
>> grant and revoke access to other users, authorization flows. We are really
>> missing this.
>> However, I think you can try to use the Policy Management API. It
>> provides a RESTful API that you can use to manage permissions and policies.
>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-
>> arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/
>> authorization/UserPolicyManagementTest.java. There are other tests in
>> the same package for other permission and policy types.
>> Please, let me know about your achievements if you start doing something
>> with the Policy Management API. Any feedback is welcome and will probably
>> help with the work I mentioned before around UMA.
>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>> Hi guys,
>>> is it possible for an application user to grant some authorizations to
>>> another user?
>>> For example in the photoz example, how can I give access to my albums to
>>> another user?
>>> What would be the mechanism?
>>> Thanks a lot
>>> Corentin

More information about the keycloak-user mailing list