On 12/28/2016 6:58:26 AM, Avinash Kundaliya <avinash(a)avinash.com.np> wrote:
Reply inline.
I want to confirm if Keycloak requests the resource server to get the resource or not.
On 12/28/16 07:17, Pedro Igor wrote:
On 12/26/2016 7:29:14 AM, Avinash Kundaliya <avinash(a)avinash.com.np>
[mailto:avinash@avinash.com.np] wrote:
I have been going through the photoz example and I am curious how does
the drool application know the resource owner [1] or get details about
the resource in general ?
Pedro Igor: The rule used with the Drools policy is basically using the Policy Evaluation
API [1], which provides access not only to the resource but also the identity (built based
on the access token sent along the authorization request), the permission being evaluated
(resource + scope) and a few contextual attributes.
[1] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html
[
https://keycloak.gitbooks.io/authorization-services-guide/content/topics/...]
Avinash: Ok, so does this mean that keycloak requests the resource server to get the
resource, that is then passed to the evaluation API along with the identity and
contextual-attributes ?
Pedro Igor: Basically, yes. Not sure what you mean by "Keycloak requests the resource
server to get the resource" but what happens is that during evaluation Keycloak
checks the resources being requested along with the authorization request (see the section
"Authorization Services", specially both Entitlement and Authorization APIs) and
creates an evaluation context which is then passed to your policies. The evaluation
context is the guy holding all information you might need to actually write your policies
and take decisions.
Can this be done with a javascript based policy?
Pedro Igor: Yes, both policy types allows you to use ABAC and all attributes available
through the Policy Evaluation API to write your policies. You can even mix ABAC with RBAC,
if you also need to check roles granted to the identity asking for access.
Is there a post/description about how the photoz example works and how
information flows in this example. I am trying to understand via the
code as of now, the Readme is a good introduction of what it does, but
not enough to understand what's really happening?
Pedro Igor: No, but we can update docs to include such info.
Avinash: That would be nice! I would also like to help as i move along and understand
what's really happening. This is apparently more complicated a topic than initially
thought it to be.
Pedro Igor: I would appreciate your help, fell free to send changes to docs (gitbook is
quite nice and easy to get started).
The PhotoZ example is intended for those trying to protect APIs. The main thing it tries
to demonstrate is:
* How resource servers can create resources remotely using the Protection API
* How users resources (album instances, such as "Avinash Family Album") can
inherit permissions assigned to a "Typed Resource".
* How to use the keycloak-authz.js to interact with a Keycloak server and resource servers
in order to obtain tokens with the necessary permissions and use them to actually get
access to protected resources
* How to use the Authorization Client Java API
* How a RPT (requesting party token, the guy holding the permissions) looks like
* How incremental authorization works. In other words, when asking permissions for a set
of one or more resources if you already have a valid RPT, the next RPT is going to have
all permissions previously granted + the new ones.
Probably good topics to write some additional docs :)
I am having a hard time understanding how to setup keycloak
authorization and also missing documentation/explanation on how to do
things. If there's a resource that someone could refer to, that would be
great.
Pedro Igor: What about the documentation [2] ? I think it is going to be useful to
understand some key concepts. Fell free to open issues to our doc if you find something is
not clear
[2] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/overview/overview.html
[
https://keycloak.gitbooks.io/authorization-services-guide/content/topics/...]
[1]
https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/ph...
[
https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/ph...]
Regards,
Avinash
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org [mailto:keycloak-user@lists.jboss.org]
https://lists.jboss.org/mailman/listinfo/keycloak-user
[
https://lists.jboss.org/mailman/listinfo/keycloak-user]