[keycloak-user] understanding the photoz example
Pedro Igor
psilva at redhat.com
Tue Dec 27 20:32:56 EST 2016
On 12/26/2016 7:29:14 AM, Avinash Kundaliya <avinash at avinash.com.np> wrote:
I have been going through the photoz example and I am curious how does
the drool application know the resource owner [1] or get details about
the resource in general ?
Pedro Igor: The rule used with the Drools policy is basically using the Policy Evaluation API [1], which provides access not only to the resource but also the identity (built based on the access token sent along the authorization request), the permission being evaluated (resource + scope) and a few contextual attributes.
[1] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html
Can this be done with a javascript based policy?
Pedro Igor: Yes, both policy types allows you to use ABAC and all attributes available through the Policy Evaluation API to write your policies. You can even mix ABAC with RBAC, if you also need to check roles granted to the identity asking for access.
Is there a post/description about how the photoz example works and how
information flows in this example. I am trying to understand via the
code as of now, the Readme is a good introduction of what it does, but
not enough to understand what's really happening?
Pedro Igor: No, but we can update docs to include such info.
I am having a hard time understanding how to setup keycloak
authorization and also missing documentation/explanation on how to do
things. If there's a resource that someone could refer to, that would be
great.
Pedro Igor: What about the documentation [2] ? I think it is going to be useful to understand some key concepts. Fell free to open issues to our doc if you find something is not clear
[2] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/overview/overview.html
[1]
https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl#L11
Regards,
Avinash
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list