[keycloak-user] Advanced authorization

Wed Oct 24 09:14:08 EDT 2018

Yeah, I think so. I need to document this ... But we also expose endpoints
in Admin REST API which you could use to manage these permissions/policies
from your app.

On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer <melissa.palmer at gmail.com>
wrote:

> Thanks Pedro, I will take a closer look.
> Yes I’ll put the work flow in the app. But we do want to manage the
> permissions in KEy,
>
> I tried to align with the QuickStart ti explain. But it’s not necessarily
> on resource that I own with I want to do this. For example it could be
> against adding products in and ecommerce app, or transactions for a company
>
> It sounds like I should rather use the non
> UMA example to try this against. Would that be better?
>
> Thanks
> Melissa
>
>
> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
>
> Hi Melissa,
>
> I don't think this is very different than what we have in the quickstart
> you mentioned.
>
> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer <melissa.palmer at gmail.com>
> wrote:
>
>> Hi,
>>
>> I am trying to do something similar to the following:
>> - have a resource (say album) in app-authz-uma-photoz quickstart that
>> includes a status attribute against it.
>> - status such as: CREATED, APPROVED, DECLINED,
>>
>
> You probably noticed that resources in Keycloak have attributes, so you
> could set a "status" accordingly. You should be able to write JS policies
> that can access any attribute associated with a resource.
>
>
>> - a person can then be given a role that allows for permissions (via a
>> role) such as
>>
>>    - album:create
>>    - album:approve
>>    - album:decline
>>
>
> If you have different authorization requirements for each scope, you can
> create a scope-based permission for each scope. Otherwise, a single
> scope-permission managing access for all of them.
>
>
>>
>> - BUT a person is not allowed to approve any albums they created
>> themselves
>>
>
> I would create a scope-permission specific for album:approve and associate
> it with a JS policy that deny access to the the resource owner (considering
> the owner is the person that created the resource).
>
>
>>
>> Is there a keycloak-quickstarts/example I can start from?
>> Or a recommended way I should attempt to tackle this?
>>
>
> It is worthy to highlight that when using UMA and, specially, the "My
> Resources" page in the Account Service, resource owners are always allowed
> to manage their resources. It seems you are more interested in a worflow
> that does not really fit this functionality in particular. I think you
> would need to manage this workflow from your app based on the permissions
> you have in Keycloak.
>
>
>>
>> Thank You in advance,
>> Melissa
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>