[keycloak-user] Fwd: regarding custom attributes and mapping resources to users

Pedro Igor psilva at redhat.com
Mon Jan 2 08:17:59 EST 2017


Yes, you can use Admin Rest API [1]. 

[1] https://keycloak.gitbooks.io/server-developer-guide/content/topics/admin-rest-api.html.
On 12/30/2016 2:04:03 PM, Avinash Kundaliya <avinash at avinash.com.np> wrote:
Just thinking about the following scenario:
Is it anyhow possible for a user to change his custom attributes without extending the Account Management Page theme? maybe via the API?
I hope not, but want to confirm as I couldn't find where the custom attributes were defined in the Keycloak source.
Regards,
Avinash


On 12/22/16 17:18, Pedro Igor wrote:

Pedro Igor: Hello, answers inline.


On 12/22/2016 7:21:13 AM, Avinash Kundaliya <avinash at avinash.com.np> [mailto:avinash at avinash.com.np] wrote:
Hi,
since I got no response to my previous email and i can see some action
happening in the mailing list, I will try to forward my question and
explain it again.

* Can a user update their own custom attributes ? I want to use custom
attributes to store data that would help in creating policies for
their permissions. From what i could understand from previous
discussions, it looks like users cannot, but its not confirmed or
mentioned anywhere.
Pedro Igor: In general, only admins via Administrator Console. There is an Account Management Page intended for user self-service, you can probably extend themes and provide the attributes you want to update there.


See https://github.com/keycloak/keycloak/tree/master/examples/themes [https://github.com/keycloak/keycloak/tree/master/examples/themes].


* Related to the question above, is there a defined structure/ pattern
to define resource ownership in keycloak, eg. user-id *"xx"* is a
manger of resource-id *"yy"* , user-id "*aa*" is a viewer of
resource-id "*bb*" and so on and so forth.
Pedro Igor: Resources always have an owner. This is different than the role of an user for a particular resource. By default, resources belongs to the resource server itself. But when creating new resources via Protection API you can set the owner to be an user.



>From my question last time, What are the best practices to map
roles to specific resources? For example if i have a role called as
shop_owner how do i map a user with that role to a specific shop
(for example). Is this something that keycloak has defined
structures for ? How can i achieve such a structure with keycloak
and with/without using the keycloak authorization/resource services.
Pedro Igor: If the user is the owner of a shop, you probably want to create the resource setting the user as the owner. After that, you need to associate permissions to your resources.

For instance, you can use a JS Policy to grant access to the resource based on the owner of a resource. As well, associate other permissions based on other types of policies.


If you want an example about how to enforce permissions to a resource based on the owner, you can check the Photoz example application. There we demonstrate how to use Drools for that. But you can also use a JS policy.

Some help or push in the right direction would be helpful.

Regards,
Avinash


-------- Forwarded Message --------
Subject: regarding custom attributes and mapping resources to users
Date: Tue, 20 Dec 2016 16:14:03 +0545
From: Avinash Kundaliya
To: keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org]



Hello Community,

I am fairly new to using keycloak and still getting immersed into the
authentication and authorization jargons. I have some basic queries that
i am curious about.

* Regarding the custom attributes for each user
(https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/attributes.html [https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/attributes.html]).
Is this something that a user can edit for themselves or is
something for an administrator to manage custom content for the
user? Basically, as an administrator can I put information that
should be hidden from the user as a custom attribute ?
* My second question is more about architecture of applications with
authentication and authorization. What are the best practices to map
roles to specific resources? For example if i have a role called as
shop_owner how do i map a user with that role to a specific shop
(for example). Is this something that keycloak has defined
structures for ? How can i achieve such a structure with keycloak
and with/without using the keycloak authorization/resource services.

Looking forward to some constructive discussions and some answers to the
basic issues I have.

Regards,
Avinash

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org]
https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user]



More information about the keycloak-user mailing list