[keycloak-user] Authorization on resources that belong to different "groups"

Mehdi Sheikhalishahi mehdi.alishahi at gmail.com
Mon Apr 10 10:59:31 EDT 2017 

Hi Gabriel

Thanks for the note.
I need to secure Orion. Orion is a C++ implementation of the NGSI9/10 REST
API binding developed as a part of the FIWARE platform. I could not find
any adapter in KeyCloak. So how we could secure Orion?

https://github.com/telefonicaid/fiware-orion#api-overview




On Mon, Apr 10, 2017 at 3:27 PM, Gabriel Trisca <gtrisca at cignifi.com> wrote:

> Hi Mehdi,
>
> The policies are defined in the Keycloak admin panel, and we want to try
> to avoid defining access control in out application code as much as
> possible. The application uses Dropwizard, so we use the Jetty adapter.
>
> Thanks!
>
> On Mon, Apr 10, 2017 at 8:27 AM, Mehdi Sheikhalishahi <
> mehdi.alishahi at gmail.com> wrote:
>
>> Hi Gabriel,
>>
>> How do you define your policies? which adapter do you use for your app?
>>
>> On Thu, Mar 30, 2017 at 11:59 PM, Gabriel Trisca <gtrisca at cignifi.com>
>> wrote:
>>
>>> HI there,
>>>
>>> We've integrated Keycloak auth and authz to an existing REST service
>>> which
>>> serves endpoints like this:
>>>
>>> GET /api/report?country={country}
>>> GET /api/status?country={country}
>>> GET /api/history?country={country}
>>>
>>> As far as I understand, the only way to protect these resources is to
>>> create "global" resources (/api/report, /api/status etc.), but then we
>>> can't validate if the current user is authorized to make requests for a
>>> given "country":
>>>
>>> The other alternative would be to include the country name in the URI,
>>> but
>>> this would lead to duplication of resource definitions:
>>>
>>> /api/report/country1
>>> /api/report/country2
>>> /api/status/country1
>>> /api/status/country2
>>> ...
>>>
>>> We considered including a list of the countries the user has access to as
>>> an attribute in the access_token but that would require manually
>>> maintaining said attribute
>>>
>>> Is there another way that would accommodate this kind of authentication
>>> requirements?
>>>
>>> Thanks in advance!
>>>
>>> --
>>> *Gabriel Trisca, Software Developer*
>>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> *Gabriel Trisca, Software Developer*
> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
> P: +1 857-209-2685 <+1%20857-209-2685> • M: +1 301-433-2221
> <+1%20301-433-2221> | www.cignifi.com
>

More information about the keycloak-user mailing list