[keycloak-user] Resource server implementation best practices?
Stian Thorgersen
sthorger at redhat.com
Fri Dec 2 01:24:11 EST 2016
Simplest would be to use roles, not scope, as Keycloak supports roles well,
but has less support for scope. On the endpoint side it depends on what you
are implementing it in. If it's JEE it's probably easiest to do one
endpoint per-role. In general it's probably easier to have that pattern in
any case. Devil is in the details though and I imagine any approach has
pros/cons and you'll need to decide what works best for your case.
On 28 November 2016 at 13:12, Guus der Kinderen <guus.der.kinderen at gmail.com
> wrote:
> Hello,
>
> When implementing one or more services that, based on an access token,
> expose data related to the user that's identified in the access token, is
> there a "best practice" in regards to handling the available scopes?
>
> I'm debating between having one resource server that exposes all data to
> which the token grants access to, versus have a resource server "per
> claim", that either returns data, or an error code, based on the presence
> of a particular scope within the access token.
>
> Is there a common approach / best practice that covers this?
>
> Regards,
>
> Guus
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list