Re: [keycloak-user] Scope Permissions with Resource Type

Thanks Pedro. I will try this out. BTW, do you think merging the resource-based and scope-based permissions would be in your roadmap for anytime soon? On Mon, Jun 10, 2019 at 2:17 PM Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: > There is a limitation here in how resource types are used. You could > achieve that if RESOURCE_1, RESOURCE_2 and RESOURCE_3 were "resource > instance", with the owner other than the resource server. But this does not > seem to be your case. > > There is one way to achieve this by using a JS Policy. Still not ideal, > but something like this: > > ==== > var permission = $evaluation.getPermission(); > var scopes = permission.getScopes(); > > for (i = 0; i < scopes.length; i++) { > var scope = scopes.get(i); > > if (scope.getName().equals("read")) { > if (// check here if the user is member of a group) { > permission.getScopes().remove(scope); > } > } > } > > // grant or deny the permission > ==== > > To check if a user is a member of a group, please take a look at > https://www.keycloak.org/docs/latest/authorization_services/index.html#ch... > . > > On Mon, Jun 10, 2019 at 4:44 PM Farzad Panahi <farzad.panahi(a)gmail.com&gt; > wrote: > >> Hi Pedro, >> >> If I create a scope-based permission without specifying the resource, >> then that permission will apply to all the resources. >> For instance in the example I mentioned in my previous email: >> >> I want to create permissions to give only SCOPE_READ access (not >> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >> >> If I grant a permission for SCOPE_READ without specifying the resource >> then basically I am granting SCOPE_READ to all the resources which is not >> what I want. I want to only give SCOPE_READ to a specific set of resources. >> >> I think as you mentioned merging resource-based and scope-based >> permissions is a good idea and would work better. But now that we do not >> have this feature is there any other way to accomplish this somehow using >> policies or something else? >> >> Cheers >> >> Farzad >> >> On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva <psilva(a)redhat.com&gt; >> wrote: >> >>> You can create scope-based permission for a specific scope (without set >>> a resource). Would that help? >>> >>> I think we could also think about merging resource-based permission >>> into scope-based permission so that we only have a single type of >>> permission. >>> >>> Regards. >>> Pedro Igor >>> >>> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi <farzad.panahi(a)gmail.com&gt; >>> wrote: >>> >>>> Hi, >>>> >>>> I have a client authorization set-up like the following: >>>> >>>> RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>> RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>> RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>> >>>> USER_1: USER_GROUP_A >>>> USER_2: USER_GROUP_A >>>> >>>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A >>>> >>>> I want to create permissions to give only SCOPE_READ access (not >>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >>>> >>>> If I create a resourced based permission then it will give grant >>>> access to >>>> both scopes. >>>> Unfortunately I cannot create a scope based permission because scope >>>> permission does not support resource type. It only supports resource. >>>> If I >>>> want to use scoped based permission then I have to create permission >>>> for >>>> every single resource in my resource type. >>>> >>>> I was wondering if there is a reason that scope based permission does >>>> not >>>> support resource type? >>>> >>>> Also anyone has any idea how I can achieve my requirement given the >>>> limitations that we have? Is there a way to create a policy that grants >>>> access only to a certain scope? >>>> >>>> >>>> Cheers >>>> >>>> Farzad >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>