Re: [keycloak-user] Share resource by checking if some other user is in a certain group
On Tue, Feb 13, 2018 at 4:50 PM, Or Harary <harary.or(a)gmail.com> wrote:
Hello,
After some time of using keycloak which works great for most of my demands,
I wanted to know if it's possible to create a permission with a policy that
will tell me if some user (not the one which is logged in) is within a
certain group.
For example:
User 1 have a digital wallet.
This digital wallet have a resource:
name: /wallet/{wallet-id}
uri: /{user-1-id}/wallet/{wallet-id}
scopes: charge/read/...
User 2 have a company which is represented as a group
User 2 wants to charge user 1 digital wallet but I want him to only be able
to do so when user 1 is inside user 2 company's group
How can I check this with a policy?
Or somehow share user 1 resource with user 2 by a policy?
We are introducing some changes to authorization services in order to
update implementation to UMA 2.0.
One of the main features we are delivering is the user-managed access part
we were missing in current implementation, where users are allowed to share
their resources.
We are also providing some RESTful endpoint which your applications
(resource servers) can use to manage permission requests.
Right now, I think you can try a JS policy that checks for the group and
the user allowed to access a resource. Let me know if you are able to do
so, if not we have space to improve what we expose via the Evaluation API
(the objects exposed to policies with the permission being requested +
context).
Regards.
Pedro Igor
Thanks!
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user