[keycloak-user] understanding the photoz example

Avinash Kundaliya avinash at avinash.com.np
Wed Dec 28 03:58:17 EST 2016 

Reply inline.

I want to confirm if Keycloak requests the resource server to get the 
resource or not.


On 12/28/16 07:17, Pedro Igor wrote:
>>
>> On 12/26/2016 7:29:14 AM, Avinash Kundaliya <avinash at avinash.com.np> 
>> wrote:
>>
>> I have been going through the photoz example and I am curious how does
>> the drool application know the resource owner [1] or get details about
>> the resource in general ? 
> *Pedro Igor:* The rule used with the Drools policy is basically using 
> the Policy Evaluation API [1], which provides access not only to the 
> resource but also the identity (built based on the access token sent 
> along the authorization request), the permission being evaluated 
> (resource + scope) and a few contextual attributes.
>
> [1] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html
>
> *Avinash**:* Ok, so does this mean that keycloak requests the resource 
> server to get the resource, that is then passed to the evaluation API 
> along with the identity and contextual-attributes ?
>> Can this be done with a javascript based policy? 
> *Pedro Igor:* Yes, both policy types allows you to use ABAC and all 
> attributes available through the Policy Evaluation API to write your 
> policies. You can even mix ABAC with RBAC, if you also need to check 
> roles granted to the identity asking for access.
>>
>>
>> Is there a post/description about how the photoz example works and how
>> information flows in this example. I am trying to understand via the
>> code as of now, the Readme is a good introduction of what it does, but
>> not enough to understand what's really happening? 
> *Pedro Igor:* No, but we can update docs to include such info.
>
*Avinash:* That would be nice! I would also like to help as i move along 
and understand what's really happening. This is apparently more 
complicated a topic than initially thought it to be.
>>
>>
>> I am having a hard time understanding how to setup keycloak
>> authorization and also missing documentation/explanation on how to do
>> things. If there's a resource that someone could refer to, that would be
>> great. 
> *Pedro Igor:* What about the documentation [2] ? I think it is going 
> to be useful to understand some key concepts. Fell free to open issues 
> to our doc if you find something is not clear
>
> [2] 
> https://keycloak.gitbooks.io/authorization-services-guide/content/topics/overview/overview.html
>>
>>
>> [1]
>> https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl#L11 
>>
>>
>> Regards,
>> Avinash
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list