[keycloak-user] Scope Permissions with Resource Type

Thu Jun 13 14:56:15 EDT 2019

Thanks Pedro. I will try this out.

BTW, do you think merging the resource-based and scope-based permissions
would be in your roadmap for anytime soon?

On Mon, Jun 10, 2019 at 2:17 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> There is a limitation here in how resource types are used. You could
> achieve that if RESOURCE_1, RESOURCE_2 and RESOURCE_3 were "resource
> instance", with the owner other than the resource server. But this does not
> seem to be your case.
>
> There is one way to achieve this by using a JS Policy. Still not ideal,
> but something like this:
>
> ====
> var permission = $evaluation.getPermission();
> var scopes = permission.getScopes();
>
> for (i = 0; i < scopes.length; i++) {
>     var scope = scopes.get(i);
>
>     if (scope.getName().equals("read")) {
>         if (// check here if the user is member of a group) {
>             permission.getScopes().remove(scope);
>         }
>     }
> }
>
> // grant or deny the permission
> ====
>
> To check if a user is a member of a group, please take a look at
> https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-group-membership
> .
>
> On Mon, Jun 10, 2019 at 4:44 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Hi Pedro,
>>
>> If I create a scope-based permission without specifying the resource,
>> then that permission will apply to all the resources.
>> For instance in the example I mentioned in my previous email:
>>
>> I want to create permissions to give only SCOPE_READ access (not
>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
>>
>> If I grant a permission for SCOPE_READ without specifying the resource
>> then basically I am granting SCOPE_READ to all the resources which is not
>> what I want. I want to only give SCOPE_READ to a specific set of resources.
>>
>> I think as you mentioned merging resource-based and scope-based
>> permissions is a good idea and would work better. But now that we do not
>> have this feature is there any other way to accomplish this somehow using
>> policies or something else?
>>
>> Cheers
>>
>> Farzad
>>
>> On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> You can create scope-based permission for a specific scope (without set
>>> a resource). Would that help?
>>>
>>> I think we could also think about merging resource-based permission into
>>> scope-based permission so that we only have a single type of permission.
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi <farzad.panahi at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have a client authorization set-up like the following:
>>>>
>>>> RERSOURCE_1:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>>> RERSOURCE_2:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>>> RERSOURCE_3:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>>>
>>>> USER_1: USER_GROUP_A
>>>> USER_2: USER_GROUP_A
>>>>
>>>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A
>>>>
>>>> I want to create permissions to give only SCOPE_READ access (not
>>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
>>>>
>>>> If I create a resourced based permission then it will give grant access
>>>> to
>>>> both scopes.
>>>> Unfortunately I cannot create a scope based permission because scope
>>>> permission does not support resource type. It only supports resource.
>>>> If I
>>>> want to use scoped based permission then I have to create permission for
>>>> every single resource in my resource type.
>>>>
>>>> I was wondering if there is a reason that scope based permission does
>>>> not
>>>> support resource type?
>>>>
>>>> Also anyone has any idea how I can achieve my requirement given the
>>>> limitations that we have? Is there a way to create a policy that grants
>>>> access only to a certain scope?
>>>>
>>>>
>>>> Cheers
>>>>
>>>> Farzad
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>