[keycloak-user] Authorization transfer
Pedro Igor Silva
psilva at redhat.com
Wed Nov 22 06:22:14 EST 2017
On Tue, Nov 21, 2017 at 7:13 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:
> In parallel with the domains authorizations, I have other policies, such
> as "owner" policies (similar to the photoz example).
> I coded the owner policy with javascript:
>
> var context = $evaluation.getContext();
> var permission = $evaluation.getPermission();
> var identity = context.getIdentity();
> if (identity.id == permission.getResource().getOwner()) {
> $evaluation.grant();
> }
>
> But it leads to this result when evaluating a user:
>
> Result*: DENY*
>
> Policies:
> - *Can access domain
> <http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/permission/resource/7323164c-3009-4cf8-9a48-b37cf009d2fe>*
> decision was *PERMIT* by *UNANIMOUS* decision.
>
> - *Users in domain
> <http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/policy/user/ef112bc8-c7a8-4300-be92-d0c9d0300971>*
> voted to *PERMIT* .
>
> *Can delete MyHouse
> <http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/permission/scope/53278490-b9c8-41f6-b2a5-bef5a0be6e73>*
> decision was *DENY* by *UNANIMOUS* decision.
>
> - *owner can access
> <http://localhost:8080/auth/admin/master/console/#/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-server/policy/js/762cf51c-9ff1-4b44-ba79-6890189db0f2>*
> voted to *DENY*.
>
>
> The two permissions are overlapping, so it seems normal that both got
> evaluated.
> But why the java policy ("Grant_owner") voted DENY?
> I didn't mention explicitly the deny in the code...
>
By default, if your policy doesn't call either deny or grant, the result is
a DENY.
> I think that if you are the owner, you should be granted. But if you are
> not the owner, no decision can be taken by the policy...
>
You need to check who is the owner of your resource. I guess the "Can
delete MyHouse" is a permission for some "delete" scope you have. Because
you got a DENY, it does not necessarily means that you won`t get the
sub-set of permissions that were granted. When using the Policy Evaluation
Tool, take a look at a link on the results page that is called "Show
Authorization Data". Once you click this link, you will be presented with a
page that shows how a RPT would look like, with the permissions actually
granted during the evaluation.
>
>
>
>
> On Tue, Nov 21, 2017 at 6:54 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>>
>> I see, so I need to create "mydomain" as a resource.
>> But what should be the type for both "mydomain" and "myhouse"? Should it
>> be something like "domain:mydomain"?
>>
>> What I would like is to grant different access to users to that domain.
>> For example: user Bob can only view resources in domain "mydomain".
>> User Alice can view and delete resources in "mydomain".
>> Should I create a "User Policy" with the list of users that have access?
>>
>> If I understand, I need to use the "resource-based" permission. However
>> it does not seem to let me select the scopes (as in my example: Bob can
>> only view, but Alice can delete).
>>
>> Another question: how to invoke the API for typed resources?
>> I have:
>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>> Bearer $TOKEN" -d '{
>> "permissions" : [
>> {
>> "resource_set_name" : "Sensors",
>> "scopes" : [
>> "view"
>> ]
>> }
>> ]
>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>>
>> But this uses the name of the resource, so I am not sure. Is there a
>> reference for this API?
>>
>> Thanks a lot
>> PS. I found some minor bugs related to the API, should I report them here
>> or create a JIRA?
>>
>>
>>
>> On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Resources have a *type* field that can be used to group resources.
>>> Permissions granted to a "typed resource" (which is created with the
>>> resource server itself as the owner) applies to any other resource with the
>>> same type and owned by an user. Think about a "typed resource" as a
>>> general/parent resource.
>>>
>>> If you have a "mydomain" typed resource and a "myhouse" resource,
>>> sharing the same type, any permission you apply to "mydomain" is going to
>>> be applied to "myhouse".
>>>
>>> Does it makes sense ?
>>>
>>> On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Thanks for the answer.
>>>> My plan is to make authorizations based on groups of resources, that we
>>>> call "domains".
>>>> Basically, when a user creates a resource, he can decide to put it in
>>>> an existing domain.
>>>> The URL reflects that domain:
>>>>
>>>> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>>>>
>>>> The user can also create domains with the domains endpoint:
>>>>
>>>> POST http://www.example.com/api/v1/domains/
>>>>
>>>> What is not clear for me is how users can get access to domains.
>>>> Probably users can have an attribute "domains", with the list of
>>>> domains they have access to?
>>>> Or should a domain be represented in Keycloak as a resource?
>>>> In this case, should we create roles to access that domain?
>>>> For example, the role "admin-mydomain" ?
>>>>
>>>> Or should it be implemented with user groups in Keycloak? Or with User
>>>> policies?
>>>>
>>>>
>>>>
>>>> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Right now you can't do it. This is all about the work we are doing to
>>>>> better support UMA protocol. Soon you'll be able to let your users to
>>>>> manage their resources (and their policies) from Keycloak Account Service,
>>>>> grant and revoke access to other users, authorization flows. We are really
>>>>> missing this.
>>>>>
>>>>> However, I think you can try to use the Policy Management API. It
>>>>> provides a RESTful API that you can use to manage permissions and policies.
>>>>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>>>>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil
>>>>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/c
>>>>> lient/authorization/UserPolicyManagementTest.java. There are other
>>>>> tests in the same package for other permission and policy types.
>>>>>
>>>>> Please, let me know about your achievements if you start doing
>>>>> something with the Policy Management API. Any feedback is welcome and will
>>>>> probably help with the work I mentioned before around UMA.
>>>>>
>>>>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Hi guys,
>>>>>> is it possible for an application user to grant some authorizations
>>>>>> to another user?
>>>>>> For example in the photoz example, how can I give access to my albums
>>>>>> to another user?
>>>>>> What would be the mechanism?
>>>>>>
>>>>>> Thanks a lot
>>>>>> Corentin
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list