[keycloak-user] Anonymous access to scoped resources

[ebondu]

Hi and thanks for your reply,

Serving public resources is not a problem here, I can either change the
web.xml or change the Spring security chain to serve public resources. But
what I need is to provide a public access to a set of KC protected resources
(the decision to authorize the public access to resources have to be done by
the KC server with the "anonymous policy"). 

To illustrate, here is the corresponding use case :

- An admin can create some images with an set of scopes for restricted CRUD
operations and optionnally a "public" scope to allow a public access (read
only) to some images
- An user can create some private images with an set of scopes for
restricted the CRUD operation and without public access.
- A service is in charge of CRUD operations on all images (the service is
protected by KC Spring filters to manage auth/authz).
- A public web pages have to show the public images created by the admin. As
it is a public page, images must to be accessible without an access token,
so I can use the CRUD service. Consequently, I need another dedicated
service that can serve images with the "public" scope only.

My first idea was to secure this service with the same authz Spring filter
only but as it depends on the auth filter, I can't do it (the auth filter
create the security context from the passed access token). 

=> A new spring filter asking directly permissions to access to the "public"
scope + an "anonymous" policy on the KC side seems to be the only solution
here ?




--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Anonymous-access-to-scoped-resources-tp2929p3042.html
Sent from the keycloak-user mailing list archive at Nabble.com.