[keycloak-user] understanding the photoz example
Pedro Igor
psilva at redhat.com
Wed Dec 28 07:51:24 EST 2016
On 12/28/2016 6:58:26 AM, Avinash Kundaliya <avinash at avinash.com.np> wrote:
Reply inline.
I want to confirm if Keycloak requests the resource server to get the resource or not.
On 12/28/16 07:17, Pedro Igor wrote:
On 12/26/2016 7:29:14 AM, Avinash Kundaliya <avinash at avinash.com.np> [mailto:avinash at avinash.com.np] wrote:
I have been going through the photoz example and I am curious how does
the drool application know the resource owner [1] or get details about
the resource in general ?
Pedro Igor: The rule used with the Drools policy is basically using the Policy Evaluation API [1], which provides access not only to the resource but also the identity (built based on the access token sent along the authorization request), the permission being evaluated (resource + scope) and a few contextual attributes.
[1] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html [https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html]
Avinash: Ok, so does this mean that keycloak requests the resource server to get the resource, that is then passed to the evaluation API along with the identity and contextual-attributes ?
Pedro Igor: Basically, yes. Not sure what you mean by "Keycloak requests the resource server to get the resource" but what happens is that during evaluation Keycloak checks the resources being requested along with the authorization request (see the section "Authorization Services", specially both Entitlement and Authorization APIs) and creates an evaluation context which is then passed to your policies. The evaluation context is the guy holding all information you might need to actually write your policies and take decisions.
Can this be done with a javascript based policy?
Pedro Igor: Yes, both policy types allows you to use ABAC and all attributes available through the Policy Evaluation API to write your policies. You can even mix ABAC with RBAC, if you also need to check roles granted to the identity asking for access.
Is there a post/description about how the photoz example works and how
information flows in this example. I am trying to understand via the
code as of now, the Readme is a good introduction of what it does, but
not enough to understand what's really happening?
Pedro Igor: No, but we can update docs to include such info.
Avinash: That would be nice! I would also like to help as i move along and understand what's really happening. This is apparently more complicated a topic than initially thought it to be.
Pedro Igor: I would appreciate your help, fell free to send changes to docs (gitbook is quite nice and easy to get started).
The PhotoZ example is intended for those trying to protect APIs. The main thing it tries to demonstrate is:
* How resource servers can create resources remotely using the Protection API
* How users resources (album instances, such as "Avinash Family Album") can inherit permissions assigned to a "Typed Resource".
* How to use the keycloak-authz.js to interact with a Keycloak server and resource servers in order to obtain tokens with the necessary permissions and use them to actually get access to protected resources
* How to use the Authorization Client Java API
* How a RPT (requesting party token, the guy holding the permissions) looks like
* How incremental authorization works. In other words, when asking permissions for a set of one or more resources if you already have a valid RPT, the next RPT is going to have all permissions previously granted + the new ones.
Probably good topics to write some additional docs :)
I am having a hard time understanding how to setup keycloak
authorization and also missing documentation/explanation on how to do
things. If there's a resource that someone could refer to, that would be
great.
Pedro Igor: What about the documentation [2] ? I think it is going to be useful to understand some key concepts. Fell free to open issues to our doc if you find something is not clear
[2] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/overview/overview.html [https://keycloak.gitbooks.io/authorization-services-guide/content/topics/overview/overview.html]
[1]
https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl#L11 [https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl#L11]
Regards,
Avinash
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org]
https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user]
More information about the keycloak-user
mailing list