[keycloak-user] Listing the UMA resources accessible by a user
roxspring at imapmail.org
roxspring at imapmail.org
Thu Mar 7 08:17:00 EST 2019
Hi folks,
UMA seems to be a great solution to model fine grained permissions and allow
scenarios such as "Alice shares Folder X with Bob".
Keycloak seems to implement this well with APIs for the resource server to
ask "Given [User] and [Folder X], can the user do [Scope]?" and provide
answers for both Alice and Bob based on some policy.
Where I'm struggling is that our application also needs to provide answer
"Given [User], which folders can they do [Scope] to?" and I'm not clear how
best to achieve this with Keycloak.
A. Track which folders a user owns or can access and answer the
question directly in the resource server, but that results in the resource
server having a rigid model of the authorization rules and loses the
benefits of Keycloak's flexible policies (or duplicates the policy which
seems just as bad).
B. Have the resource server chose some subset of all folders and ask
Keycloak to validate each resource, but that becomes very chatty and slow
when there are 1000s of resources to validate.
C. Just ask Keycloak to validate all resources and just return those
the user can access, but that's also potentially slow with 1000s of
resources to validate and 100s accessible.
a. As above but with additional filtering by resource type to trim the
options.
b. As above but with additional filtering by attributes (e.g. where
property:owner = "Alice")
c. As above but with a full blown query language (e.g. "WHERE
type=Folder AND (property:owner=Alice OR property:sharedwith contains Alice)
D. .?
I was expecting some variant of C to be the recommended way forward but I
can't find the relevant APIs (even without filtering). What's the best way
to model such a (presumably common) scenario?
Thanks,
Rob
More information about the keycloak-user
mailing list