[keycloak-user] Scope Permissions with Resource Type

Pedro Igor Silva psilva at redhat.com
Mon Jun 10 17:17:39 EDT 2019


There is a limitation here in how resource types are used. You could
achieve that if RESOURCE_1, RESOURCE_2 and RESOURCE_3 were "resource
instance", with the owner other than the resource server. But this does not
seem to be your case.

There is one way to achieve this by using a JS Policy. Still not ideal, but
something like this:

====
var permission = $evaluation.getPermission();
var scopes = permission.getScopes();

for (i = 0; i < scopes.length; i++) {
    var scope = scopes.get(i);

    if (scope.getName().equals("read")) {
        if (// check here if the user is member of a group) {
            permission.getScopes().remove(scope);
        }
    }
}

// grant or deny the permission
====

To check if a user is a member of a group, please take a look at
https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-group-membership
.

On Mon, Jun 10, 2019 at 4:44 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> Hi Pedro,
>
> If I create a scope-based permission without specifying the resource, then
> that permission will apply to all the resources.
> For instance in the example I mentioned in my previous email:
>
> I want to create permissions to give only SCOPE_READ access (not
> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
>
> If I grant a permission for SCOPE_READ without specifying the resource
> then basically I am granting SCOPE_READ to all the resources which is not
> what I want. I want to only give SCOPE_READ to a specific set of resources.
>
> I think as you mentioned merging resource-based and scope-based
> permissions is a good idea and would work better. But now that we do not
> have this feature is there any other way to accomplish this somehow using
> policies or something else?
>
> Cheers
>
> Farzad
>
> On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> You can create scope-based permission for a specific scope (without set a
>> resource). Would that help?
>>
>> I think we could also think about merging resource-based permission into
>> scope-based permission so that we only have a single type of permission.
>>
>> Regards.
>> Pedro Igor
>>
>> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I have a client authorization set-up like the following:
>>>
>>> RERSOURCE_1:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>> RERSOURCE_2:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>> RERSOURCE_3:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>>
>>> USER_1: USER_GROUP_A
>>> USER_2: USER_GROUP_A
>>>
>>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A
>>>
>>> I want to create permissions to give only SCOPE_READ access (not
>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
>>>
>>> If I create a resourced based permission then it will give grant access
>>> to
>>> both scopes.
>>> Unfortunately I cannot create a scope based permission because scope
>>> permission does not support resource type. It only supports resource. If
>>> I
>>> want to use scoped based permission then I have to create permission for
>>> every single resource in my resource type.
>>>
>>> I was wondering if there is a reason that scope based permission does not
>>> support resource type?
>>>
>>> Also anyone has any idea how I can achieve my requirement given the
>>> limitations that we have? Is there a way to create a policy that grants
>>> access only to a certain scope?
>>>
>>>
>>> Cheers
>>>
>>> Farzad
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>


More information about the keycloak-user mailing list