[keycloak-user] understanding the photoz example
Avinash Kundaliya
avinash at avinash.com.np
Wed Dec 28 03:58:17 EST 2016
Reply inline.
I want to confirm if Keycloak requests the resource server to get the
resource or not.
On 12/28/16 07:17, Pedro Igor wrote:
>>
>> On 12/26/2016 7:29:14 AM, Avinash Kundaliya <avinash at avinash.com.np>
>> wrote:
>>
>> I have been going through the photoz example and I am curious how does
>> the drool application know the resource owner [1] or get details about
>> the resource in general ?
> *Pedro Igor:* The rule used with the Drools policy is basically using
> the Policy Evaluation API [1], which provides access not only to the
> resource but also the identity (built based on the access token sent
> along the authorization request), the permission being evaluated
> (resource + scope) and a few contextual attributes.
>
> [1] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html
>
> *Avinash**:* Ok, so does this mean that keycloak requests the resource
> server to get the resource, that is then passed to the evaluation API
> along with the identity and contextual-attributes ?
>> Can this be done with a javascript based policy?
> *Pedro Igor:* Yes, both policy types allows you to use ABAC and all
> attributes available through the Policy Evaluation API to write your
> policies. You can even mix ABAC with RBAC, if you also need to check
> roles granted to the identity asking for access.
>>
>>
>> Is there a post/description about how the photoz example works and how
>> information flows in this example. I am trying to understand via the
>> code as of now, the Readme is a good introduction of what it does, but
>> not enough to understand what's really happening?
> *Pedro Igor:* No, but we can update docs to include such info.
>
*Avinash:* That would be nice! I would also like to help as i move along
and understand what's really happening. This is apparently more
complicated a topic than initially thought it to be.
>>
>>
>> I am having a hard time understanding how to setup keycloak
>> authorization and also missing documentation/explanation on how to do
>> things. If there's a resource that someone could refer to, that would be
>> great.
> *Pedro Igor:* What about the documentation [2] ? I think it is going
> to be useful to understand some key concepts. Fell free to open issues
> to our doc if you find something is not clear
>
> [2]
> https://keycloak.gitbooks.io/authorization-services-guide/content/topics/overview/overview.html
>>
>>
>> [1]
>> https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl#L11
>>
>>
>> Regards,
>> Avinash
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list