I think this is the best way to go ....
In fact, this is exactly what we are pushing now with UMA 2.0 and support
for asynchronous authorization. Suppose you have a "Request Access" button
in case the user is not allowed to perform operation on a resource
belonging to a different user. This button could be displayed based on a
"test" authorization request to which you can also specify whether or not
you want to start an authorization flow to get approval from resource owner.
Regards.
Pedro Igor
On Tue, Mar 6, 2018 at 4:27 PM, Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
Hi all,
I have a question around the representation and result of permissions.
Say I have an application that manages socks inventory. The UI is
displaying a button to delete socks. However, some user doesn't have the
right to delete socks!
So, I perform a request to Keycloak to get the permission.
It works well: if the user doesn't have permission, the message
"authorization denied" is displayed on the screen.
However, it would be nicer to remove the "delete" button entirely.
My policies are quite complex and multi-dimensional: You can delete socks
if you are admin, but also if it belongs to you, you belong to some groups
etc.
So anticipating the reply to an authorization request can be very hard.
What do you suggest? Should we perform a "test" authorization request
before display the "delete" button?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user