[keycloak-user] Advanced authorization

Thu Oct 25 15:12:17 EDT 2018

You can check both the Evaluation API[1] and JS Policy[2] documentation.
I'll update docs with some examples of fetching resources/scopes and
attributes from JS policies, meanwhile here it is:

var permission = $evaluation.getPermission();
var resource = permission.getResource();
var attributes = resource.getAttributes();

For more information about methods that you can use to fetch attributes,
check
https://github.com/keycloak/keycloak/blob/b4b3527df7656bfaaee351ec414e56c683c134c2/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java#L157
.

Regards.
Pedro Igor

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_evaluation_api
[2]
https://www.keycloak.org/docs/latest/authorization_services/index.html#examples

On Thu, Oct 25, 2018 at 2:54 PM Melissa Palmer <melissa.palmer at gmail.com>
wrote:

>
> Hi Pedro,
>
> How do I get get at the resource (and its attributes) via the JS policy?
> I have tried .. but not working.
> var resource = context.getResource();
> var resource = $evaluation.getResource();
>
> Thanks
> Melissa
>
>
>
> On Wed, 24 Oct 2018 at 15:56, Melissa Palmer <melissa.palmer at gmail.com>
> wrote:
>
>> Ok thank you, yes I have seen the Rest API
>> hadn’t really thought I needed to use the api for this. What you thinking
>>
>> On 24 Oct 2018, at 3:14 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
>>
>> Yeah, I think so. I need to document this ... But we also expose
>> endpoints in Admin REST API which you could use to manage these
>> permissions/policies from your app.
>>
>> On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer <melissa.palmer at gmail.com>
>> wrote:
>>
>>> Thanks Pedro, I will take a closer look.
>>> Yes I’ll put the work flow in the app. But we do want to manage the
>>> permissions in KEy,
>>>
>>> I tried to align with the QuickStart ti explain. But it’s not
>>> necessarily on resource that I own with I want to do this. For example it
>>> could be against adding products in and ecommerce app, or transactions for
>>> a company
>>>
>>> It sounds like I should rather use the non
>>> UMA example to try this against. Would that be better?
>>>
>>> Thanks
>>> Melissa
>>>
>>>
>>> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
>>>
>>> Hi Melissa,
>>>
>>> I don't think this is very different than what we have in the quickstart
>>> you mentioned.
>>>
>>> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer <melissa.palmer at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to do something similar to the following:
>>>> - have a resource (say album) in app-authz-uma-photoz quickstart that
>>>> includes a status attribute against it.
>>>> - status such as: CREATED, APPROVED, DECLINED,
>>>>
>>>
>>> You probably noticed that resources in Keycloak have attributes, so you
>>> could set a "status" accordingly. You should be able to write JS policies
>>> that can access any attribute associated with a resource.
>>>
>>>
>>>> - a person can then be given a role that allows for permissions (via a
>>>> role) such as
>>>>
>>>>    - album:create
>>>>    - album:approve
>>>>    - album:decline
>>>>
>>>
>>> If you have different authorization requirements for each scope, you can
>>> create a scope-based permission for each scope. Otherwise, a single
>>> scope-permission managing access for all of them.
>>>
>>>
>>>>
>>>> - BUT a person is not allowed to approve any albums they created
>>>> themselves
>>>>
>>>
>>> I would create a scope-permission specific for album:approve and
>>> associate it with a JS policy that deny access to the the resource owner
>>> (considering the owner is the person that created the resource).
>>>
>>>
>>>>
>>>> Is there a keycloak-quickstarts/example I can start from?
>>>> Or a recommended way I should attempt to tackle this?
>>>>
>>>
>>> It is worthy to highlight that when using UMA and, specially, the "My
>>> Resources" page in the Account Service, resource owners are always allowed
>>> to manage their resources. It seems you are more interested in a worflow
>>> that does not really fit this functionality in particular. I think you
>>> would need to manage this workflow from your app based on the permissions
>>> you have in Keycloak.
>>>
>>>
>>>>
>>>> Thank You in advance,
>>>> Melissa
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>