Re: [keycloak-user] Check ownership of resource with keycloak Authorization

Hi Richard, Resources always have an owner set. By default, the owner is the resource server itself. When creating a resource via Protection API (only RS can do that) you are free to set the owner. That is exactly what we do in that Photoz example, where the owner is actually the user whom created an album from the application. Once you set the owner as your user (you can use the user id or something else that you need to match the user later) you can use not only Drools policy, but also JavaScript policies. Take a look on our Evaluation API [1]. From there you can obtain a Resource instance from Evaluation.getPermission, which returns an object holding both the resource and the permission being evaluated. Once you obtain the resource, you can obtain the owner from the resource and do your check. Note that the policy will probably match the subject of the access token (represented in the Evaluation API as an Identity) with the owner field of a resource. The Identity usually represents the user that the client is acting on behalf and that previously authenticated in Keycloak. [1] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html Regards. Pedro Igor On 12/8/2016 7:37:29 AM, Richard van Duijn <rjvduijn(a)gmail.com&gt; wrote: I'm investigating the possibility of securing my application with keycloak using both Authentication and Authorization. I was wondering if I can check ownership of a resource (i.e. a picture in a database) with keycloak policies. I see there is an example in the documentation using a Drools Policy which checks the ownership of the resource, but that is limited to the client being the owner of the resource. What i'd like to accomplish is to see if userA has access to documentA. Can the drools engine query a database to fetch the required dataField or is there another approach for this to be done? Thanks for any pointers... /Richard _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user