[keycloak-user] Fwd: regarding custom attributes and mapping resources to users

Avinash Kundaliya avinash at avinash.com.np
Fri Dec 30 11:03:53 EST 2016


Just thinking about the following scenario:
Is it anyhow possible for a user to change his custom attributes without 
extending the Account Management Page theme? maybe via the API?
I hope not, but want to confirm as I couldn't find where the custom 
attributes were defined in the Keycloak source.

Regards,
Avinash


On 12/22/16 17:18, Pedro Igor wrote:
> *Pedro Igor:* Hello, answers inline.
>
>> On 12/22/2016 7:21:13 AM, Avinash Kundaliya <avinash at avinash.com.np> 
>> wrote:
>>
>> Hi,
>> since I got no response to my previous email and i can see some action
>> happening in the mailing list, I will try to forward my question and
>> explain it again.
>>
>> * Can a user update their own custom attributes ? I want to use custom
>> attributes to store data that would help in creating policies for
>> their permissions. From what i could understand from previous
>> discussions, it looks like users cannot, but its not confirmed or
>> mentioned anywhere. 
> *Pedro Igor:* In general, only admins via Administrator Console. There 
> is an Account Management Page intended for user self-service, you can 
> probably extend themes and provide the attributes you want to update 
> there.
>
> See https://github.com/keycloak/keycloak/tree/master/examples/themes.
>>
>>
>> * Related to the question above, is there a defined structure/ pattern
>> to define resource ownership in keycloak, eg. user-id *"xx"* is a
>> manger of resource-id *"yy"* , user-id "*aa*" is a viewer of
>> resource-id "*bb*" and so on and so forth. 
> *Pedro Igor:* Resources always have an owner. This is different than 
> the role of an user for a particular resource. By default, resources 
> belongs to the resource server itself. But when creating new resources 
> via Protection API you can set the owner to be an user.
>>
>>
>> From my question last time, What are the best practices to map
>> roles to specific resources? For example if i have a role called as
>> shop_owner how do i map a user with that role to a specific shop
>> (for example). Is this something that keycloak has defined
>> structures for ? How can i achieve such a structure with keycloak
>> and with/without using the keycloak authorization/resource services. 
> *Pedro Igor:* If the user is the owner of a shop, you probably want to 
> create the resource setting the user as the owner. After that, you 
> need to associate permissions to your resources.
>
> For instance, you can use a JS Policy to grant access to the resource 
> based on the owner of a resource. As well, associate other permissions 
> based on other types of policies.
>
> If you want an example about how to enforce permissions to a resource 
> based on the owner, you can check the Photoz example application. 
> There we demonstrate how to use Drools for that. But you can also use 
> a JS policy.
>>
>> Some help or push in the right direction would be helpful.
>>
>> Regards,
>> Avinash
>>
>>
>> -------- Forwarded Message --------
>> Subject: regarding custom attributes and mapping resources to users
>> Date: Tue, 20 Dec 2016 16:14:03 +0545
>> From: Avinash Kundaliya
>> To: keycloak-user at lists.jboss.org
>>
>>
>>
>> Hello Community,
>>
>> I am fairly new to using keycloak and still getting immersed into the
>> authentication and authorization jargons. I have some basic queries that
>> i am curious about.
>>
>> * Regarding the custom attributes for each user
>> (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/attributes.html). 
>>
>> Is this something that a user can edit for themselves or is
>> something for an administrator to manage custom content for the
>> user? Basically, as an administrator can I put information that
>> should be hidden from the user as a custom attribute ?
>> * My second question is more about architecture of applications with
>> authentication and authorization. What are the best practices to map
>> roles to specific resources? For example if i have a role called as
>> shop_owner how do i map a user with that role to a specific shop
>> (for example). Is this something that keycloak has defined
>> structures for ? How can i achieve such a structure with keycloak
>> and with/without using the keycloak authorization/resource services.
>>
>> Looking forward to some constructive discussions and some answers to the
>> basic issues I have.
>>
>> Regards,
>> Avinash
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list