[keycloak-user] Check ownership of resource with keycloak Authorization

Pedro Igor psilva at redhat.com
Thu Dec 8 06:36:37 EST 2016


Hi Richard,

Resources always have an owner set. By default, the owner is the resource server itself.

When creating a resource via Protection API (only RS can do that) you are free to set the owner. That is exactly what we do in that Photoz example, where the owner is actually the user whom created an album from the application.

Once you set the owner as your user (you can use the user id or something else that you need to match the user later) you can use not only Drools policy, but also JavaScript policies. Take a look on our Evaluation API [1]. From there you can obtain a Resource instance from Evaluation.getPermission, which returns an object holding both the resource and the permission being evaluated. Once you obtain the resource, you can obtain the owner from the resource and do your check.

Note that the policy will probably match the subject of the access token (represented in the Evaluation API as an Identity) with the owner field of a resource. The Identity usually represents the user that the client is acting on behalf and that previously authenticated in Keycloak.

[1] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html

Regards.
Pedro Igor
On 12/8/2016 7:37:29 AM, Richard van Duijn <rjvduijn at gmail.com> wrote:
I'm investigating the possibility of securing my application with keycloak
using both Authentication and Authorization.

I was wondering if I can check ownership of a resource (i.e. a picture in a
database) with keycloak policies.
I see there is an example in the documentation using a Drools Policy which
checks the ownership of the resource, but that is limited to the client
being the owner of the resource.
What i'd like to accomplish is to see if userA has access to documentA. Can
the drools engine query a database to fetch the required dataField or is
there another approach for this to be done?

Thanks for any pointers...
/Richard
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list