[keycloak-user] Advanced authorization
Melissa Palmer
melissa.palmer at gmail.com
Thu Oct 25 13:53:28 EDT 2018
Hi Pedro,
How do I get get at the resource (and its attributes) via the JS policy?
I have tried .. but not working.
var resource = context.getResource();
var resource = $evaluation.getResource();
Thanks
Melissa
On Wed, 24 Oct 2018 at 15:56, Melissa Palmer <melissa.palmer at gmail.com>
wrote:
> Ok thank you, yes I have seen the Rest API
> hadn’t really thought I needed to use the api for this. What you thinking
>
> On 24 Oct 2018, at 3:14 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
>
> Yeah, I think so. I need to document this ... But we also expose endpoints
> in Admin REST API which you could use to manage these permissions/policies
> from your app.
>
> On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer <melissa.palmer at gmail.com>
> wrote:
>
>> Thanks Pedro, I will take a closer look.
>> Yes I’ll put the work flow in the app. But we do want to manage the
>> permissions in KEy,
>>
>> I tried to align with the QuickStart ti explain. But it’s not necessarily
>> on resource that I own with I want to do this. For example it could be
>> against adding products in and ecommerce app, or transactions for a company
>>
>> It sounds like I should rather use the non
>> UMA example to try this against. Would that be better?
>>
>> Thanks
>> Melissa
>>
>>
>> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
>>
>> Hi Melissa,
>>
>> I don't think this is very different than what we have in the quickstart
>> you mentioned.
>>
>> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer <melissa.palmer at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I am trying to do something similar to the following:
>>> - have a resource (say album) in app-authz-uma-photoz quickstart that
>>> includes a status attribute against it.
>>> - status such as: CREATED, APPROVED, DECLINED,
>>>
>>
>> You probably noticed that resources in Keycloak have attributes, so you
>> could set a "status" accordingly. You should be able to write JS policies
>> that can access any attribute associated with a resource.
>>
>>
>>> - a person can then be given a role that allows for permissions (via a
>>> role) such as
>>>
>>> - album:create
>>> - album:approve
>>> - album:decline
>>>
>>
>> If you have different authorization requirements for each scope, you can
>> create a scope-based permission for each scope. Otherwise, a single
>> scope-permission managing access for all of them.
>>
>>
>>>
>>> - BUT a person is not allowed to approve any albums they created
>>> themselves
>>>
>>
>> I would create a scope-permission specific for album:approve and
>> associate it with a JS policy that deny access to the the resource owner
>> (considering the owner is the person that created the resource).
>>
>>
>>>
>>> Is there a keycloak-quickstarts/example I can start from?
>>> Or a recommended way I should attempt to tackle this?
>>>
>>
>> It is worthy to highlight that when using UMA and, specially, the "My
>> Resources" page in the Account Service, resource owners are always allowed
>> to manage their resources. It seems you are more interested in a worflow
>> that does not really fit this functionality in particular. I think you
>> would need to manage this workflow from your app based on the permissions
>> you have in Keycloak.
>>
>>
>>>
>>> Thank You in advance,
>>> Melissa
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
More information about the keycloak-user
mailing list