Hi Richard,
Resources always have an owner set. By default, the owner is the resource server itself.
When creating a resource via Protection API (only RS can do that) you are free to set the
owner. That is exactly what we do in that Photoz example, where the owner is actually the
user whom created an album from the application.
Once you set the owner as your user (you can use the user id or something else that you
need to match the user later) you can use not only Drools policy, but also JavaScript
policies. Take a look on our Evaluation API [1]. From there you can obtain a Resource
instance from Evaluation.getPermission, which returns an object holding both the resource
and the permission being evaluated. Once you obtain the resource, you can obtain the owner
from the resource and do your check.
Note that the policy will probably match the subject of the access token (represented in
the Evaluation API as an Identity) with the owner field of a resource. The Identity
usually represents the user that the client is acting on behalf and that previously
authenticated in Keycloak.
[1] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html
Regards.
Pedro Igor
On 12/8/2016 7:37:29 AM, Richard van Duijn <rjvduijn(a)gmail.com> wrote:
I'm investigating the possibility of securing my application with keycloak
using both Authentication and Authorization.
I was wondering if I can check ownership of a resource (i.e. a picture in a
database) with keycloak policies.
I see there is an example in the documentation using a Drools Policy which
checks the ownership of the resource, but that is limited to the client
being the owner of the resource.
What i'd like to accomplish is to see if userA has access to documentA. Can
the drools engine query a database to fetch the required dataField or is
there another approach for this to be done?
Thanks for any pointers...
/Richard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user