[keycloak-user] Keycloak authorization protected resource with user attributes
uğur kolip
ugur.kolip at gmail.com
Sun Dec 18 14:27:31 EST 2016
Hi,
I am using keycloak 2.4.0 Final. I try to copy photoz example to spring
boot app (with spring boot adapter) and add same features.
Features that i try to add :
Make a page which admin user can create users ,create protected resources ,
and adding access ability to users for these protected resource.(to add
these i use keycloak-admin-client)
For example , with admin page i create protected resource which uri is
campaign/*capm1*/* and campaign/*camp2*/* . spring end points are
campaign/{campaignName}/create ,campaign/{campaignName}/update
,campaign/{campaignName}/delete
For authorization , i add user attribute to user like (key : camp1 value :
create,update) or (key:camp2 , value: read) and i try to using these
attributes in policy at the protected resource.
my questions:
1.is it right way using attributes to authroization ? can these attributes
change at the client side to hack ?
2.My other idea is creating role for each protected resource like
(camp1_create,camp1_update) and add to users. is these way suitable ? if i
use these way , there are too many roles)
3.when i try to use attributes , add maping to rest api
(photoz-restful-api) but when i add mapping to client
app(photoz-html5-client) , it works. i don't understand , should we add
mapping to client which i call ? what should i do if i call these
api(photoz-restful-api) some other app ?
4.In the js policy , can i use groups and how ?
5. In the js policy , can i get data from my db or endpoint ? (like these :
if(someMethod(identity.getId()) == true) $evaluation.grant(); Because i
need extra data to authz .
6. can we debug js policy ? i want to know idenity , content attributes .
console.log not work :)
7. can we use request body to authorization , in js policy or somewhere ?
My main misson is creating protected resource and find a way to authz these
endpoints. What should i add to user ? and how use them ?
Thank you for your helping and sorry my english :)
More information about the keycloak-user
mailing list