[keycloak-user] Scope Permissions with Resource Type

Pedro Igor Silva psilva at redhat.com
Mon Jun 17 02:52:43 EDT 2019


https://issues.jboss.org/browse/KEYCLOAK-10663

On Sat, Jun 15, 2019 at 6:07 AM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> Thanks Pedro. I will check it out. Let us know here when you create that
> UI JIRA ticket.
>
> On Fri, Jun 14, 2019 at 6:44 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Yeah, I do. I've been thinking about this for a while and I think it
>> would make permission mgmt more easy without too many choices on how to do
>> it. It should be a quite trivial change as both share the same model. More
>> a UI refactoring.
>>
>> Will create a JIRA for it.
>>
>> FYI, I've just pushed some changes for allowing people to configure a
>> global decision strategy so that you change how permissions are evaluated.
>> Please, take a look at
>> https://github.com/keycloak/keycloak-documentation/pull/680. Maybe it
>> can also help your use case.
>>
>> On Thu, Jun 13, 2019 at 3:56 PM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Thanks Pedro. I will try this out.
>>>
>>> BTW, do you think merging the resource-based and scope-based permissions
>>> would be in your roadmap for anytime soon?
>>>
>>> On Mon, Jun 10, 2019 at 2:17 PM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> There is a limitation here in how resource types are used. You could
>>>> achieve that if RESOURCE_1, RESOURCE_2 and RESOURCE_3 were "resource
>>>> instance", with the owner other than the resource server. But this does not
>>>> seem to be your case.
>>>>
>>>> There is one way to achieve this by using a JS Policy. Still not ideal,
>>>> but something like this:
>>>>
>>>> ====
>>>> var permission = $evaluation.getPermission();
>>>> var scopes = permission.getScopes();
>>>>
>>>> for (i = 0; i < scopes.length; i++) {
>>>>     var scope = scopes.get(i);
>>>>
>>>>     if (scope.getName().equals("read")) {
>>>>         if (// check here if the user is member of a group) {
>>>>             permission.getScopes().remove(scope);
>>>>         }
>>>>     }
>>>> }
>>>>
>>>> // grant or deny the permission
>>>> ====
>>>>
>>>> To check if a user is a member of a group, please take a look at
>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-group-membership
>>>> .
>>>>
>>>> On Mon, Jun 10, 2019 at 4:44 PM Farzad Panahi <farzad.panahi at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Pedro,
>>>>>
>>>>> If I create a scope-based permission without specifying the resource,
>>>>> then that permission will apply to all the resources.
>>>>> For instance in the example I mentioned in my previous email:
>>>>>
>>>>> I want to create permissions to give only SCOPE_READ access (not
>>>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
>>>>>
>>>>> If I grant a permission for SCOPE_READ without specifying the resource
>>>>> then basically I am granting SCOPE_READ to all the resources which is not
>>>>> what I want. I want to only give SCOPE_READ to a specific set of resources.
>>>>>
>>>>> I think as you mentioned merging resource-based and scope-based
>>>>> permissions is a good idea and would work better. But now that we do not
>>>>> have this feature is there any other way to accomplish this somehow using
>>>>> policies or something else?
>>>>>
>>>>> Cheers
>>>>>
>>>>> Farzad
>>>>>
>>>>> On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> You can create scope-based permission for a specific scope (without
>>>>>> set a resource). Would that help?
>>>>>>
>>>>>> I think we could also think about merging resource-based permission
>>>>>> into scope-based permission so that we only have a single type of
>>>>>> permission.
>>>>>>
>>>>>> Regards.
>>>>>> Pedro Igor
>>>>>>
>>>>>> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi <farzad.panahi at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have a client authorization set-up like the following:
>>>>>>>
>>>>>>> RERSOURCE_1:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>>>>>> RERSOURCE_2:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>>>>>> RERSOURCE_3:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>>>>>>
>>>>>>> USER_1: USER_GROUP_A
>>>>>>> USER_2: USER_GROUP_A
>>>>>>>
>>>>>>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A
>>>>>>>
>>>>>>> I want to create permissions to give only SCOPE_READ access (not
>>>>>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
>>>>>>>
>>>>>>> If I create a resourced based permission then it will give grant
>>>>>>> access to
>>>>>>> both scopes.
>>>>>>> Unfortunately I cannot create a scope based permission because scope
>>>>>>> permission does not support resource type. It only supports
>>>>>>> resource. If I
>>>>>>> want to use scoped based permission then I have to create permission
>>>>>>> for
>>>>>>> every single resource in my resource type.
>>>>>>>
>>>>>>> I was wondering if there is a reason that scope based permission
>>>>>>> does not
>>>>>>> support resource type?
>>>>>>>
>>>>>>> Also anyone has any idea how I can achieve my requirement given the
>>>>>>> limitations that we have? Is there a way to create a policy that
>>>>>>> grants
>>>>>>> access only to a certain scope?
>>>>>>>
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Farzad
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>


More information about the keycloak-user mailing list