[keycloak-user] authorization in a hierarchical context

[Avinash Kundaliya]

Hello,

I have a question more related to the architecture of an application and 
if/how keycloak would fit to it.

The context is I have a hierarchy of resources (There is a Farm 
resource, and the farm has many groups and a group has many animals). I 
want the farm user to have access to everything below it (i.e group and 
animals) and the group user to all the animals.

The easiest way to do this is by doing the authorization in the resource 
server (i.e if the token contains a farm_owner resource, and if the 
resource is and animal owned by a group that the farm owns, then the 
owner gets access to it). But, this somehow feels wrong, as i would like 
to model this authorization policy (if i may call it) in the auth 
server/keycloak.

I have been looking at UMA recently as it somehow seems closest to what 
I want to achieve. But, in UMA, i can only model the owner relation, but 
not the hierarchy of it. Thus, I am not so clear on how to model such 
relations using that as well. Probably, its not a good idea to model 
this in the auth server.

It would be great if there is some mechanism within keycloak to model 
such relations or authorization structures. As of now, we do plan to use 
keycloak for authentication and possibly, pass roles if any would make 
sense.

Thanks for the help in advance, and I hope I have been able to explain 
my issue clearly.

Regards,
Avinash