[keycloak-user] Authorization on resources that belong to different "groups"

Mon Apr 10 22:57:41 EDT 2017

You will have more luck creating a new thread in the mailing list with this
issue in the mailing list, but what you have to look for is which web
server is used behind the scenes in that application.

On Mon, Apr 10, 2017 at 10:59 AM, Mehdi Sheikhalishahi <
mehdi.alishahi at gmail.com> wrote:

> Hi Gabriel
>
> Thanks for the note.
> I need to secure Orion. Orion is a C++ implementation of the NGSI9/10
> REST API binding developed as a part of the FIWARE platform. I could not
> find any adapter in KeyCloak. So how we could secure Orion?
>
> https://github.com/telefonicaid/fiware-orion#api-overview
>
>
>
>
> On Mon, Apr 10, 2017 at 3:27 PM, Gabriel Trisca <gtrisca at cignifi.com>
> wrote:
>
>> Hi Mehdi,
>>
>> The policies are defined in the Keycloak admin panel, and we want to try
>> to avoid defining access control in out application code as much as
>> possible. The application uses Dropwizard, so we use the Jetty adapter.
>>
>> Thanks!
>>
>> On Mon, Apr 10, 2017 at 8:27 AM, Mehdi Sheikhalishahi <
>> mehdi.alishahi at gmail.com> wrote:
>>
>>> Hi Gabriel,
>>>
>>> How do you define your policies? which adapter do you use for your app?
>>>
>>> On Thu, Mar 30, 2017 at 11:59 PM, Gabriel Trisca <gtrisca at cignifi.com>
>>> wrote:
>>>
>>>> HI there,
>>>>
>>>> We've integrated Keycloak auth and authz to an existing REST service
>>>> which
>>>> serves endpoints like this:
>>>>
>>>> GET /api/report?country={country}
>>>> GET /api/status?country={country}
>>>> GET /api/history?country={country}
>>>>
>>>> As far as I understand, the only way to protect these resources is to
>>>> create "global" resources (/api/report, /api/status etc.), but then we
>>>> can't validate if the current user is authorized to make requests for a
>>>> given "country":
>>>>
>>>> The other alternative would be to include the country name in the URI,
>>>> but
>>>> this would lead to duplication of resource definitions:
>>>>
>>>> /api/report/country1
>>>> /api/report/country2
>>>> /api/status/country1
>>>> /api/status/country2
>>>> ...
>>>>
>>>> We considered including a list of the countries the user has access to
>>>> as
>>>> an attribute in the access_token but that would require manually
>>>> maintaining said attribute
>>>>
>>>> Is there another way that would accommodate this kind of authentication
>>>> requirements?
>>>>
>>>> Thanks in advance!
>>>>
>>>> --
>>>> *Gabriel Trisca, Software Developer*
>>>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>>
>> --
>> *Gabriel Trisca, Software Developer*
>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>> P: +1 857-209-2685 <+1%20857-209-2685> • M: +1 301-433-2221
>> <+1%20301-433-2221> | www.cignifi.com
>>
>
>

-- 
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
P: +1 857-209-2685 • M: +1 301-433-2221 | www.cignifi.com