[keycloak-user] Share resource by checking if some other user is in a certain group

Pedro Igor Silva psilva at redhat.com
Wed Feb 14 06:53:17 EST 2018


On Tue, Feb 13, 2018 at 4:50 PM, Or Harary <harary.or at gmail.com> wrote:

>  Hello,
>
> After some time of using keycloak which works great for most of my demands,
> I wanted to know if it's possible to create a permission with a policy that
> will tell me if some user (not the one which is logged in) is within a
> certain group.
>
> For example:
>
> User 1 have a digital wallet.
> This digital wallet have a resource:
> name: /wallet/{wallet-id}
> uri: /{user-1-id}/wallet/{wallet-id}
> scopes: charge/read/...
>
> User 2 have a company which is represented as a group
>
> User 2 wants to charge user 1 digital wallet but I want him to only be able
> to do so when user 1 is inside user 2 company's group
>
> How can I check this with a policy?
> Or somehow share user 1 resource with user 2 by a policy?
>

We are introducing some changes to authorization services in order to
update implementation to UMA 2.0.

One of the main features we are delivering is the user-managed access part
we were missing in current implementation, where users are allowed to share
their resources.

We are also providing some RESTful endpoint which your applications
(resource servers) can use to manage permission requests.

Right now, I think you can try a JS policy that checks for the group and
the user allowed to access a resource. Let me know if you are able to do
so, if not we have space to improve what we expose via the Evaluation API
(the objects exposed to policies with the permission being requested +
context).

Regards.
Pedro Igor


>
> Thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list