[keycloak-user] API Authorization: on request or response?

Corentin Dupont corentin.dupont at gmail.com
Sun Nov 12 16:14:13 EST 2017

Hi guys,
another small question :)

Suppose you have an API looking like this:

Cars have an owner:
  name: "my car"
  owner: "smith"

How to make sure that you can only get cars that are yours (you can have
several cars)?
If you make a simple GET on this endpoint, should I:
1. just reply with a "Access denied" because the request is too large: it
could yield cars that are not yours,
2. reply with "Access denied" if the response list contains some cars that
are not yours,
3. filter the response car list with only yours?

It seems that 1. is the simplest because it uses only the request to make
2. uses the response to make decision, while 3. requires the collaboration
of the response handler in my API server, in order to implement the
What is the most standard way?

I have also some trouble understanding how to implement that with Keycloak
protect in NodeJS.

More information about the keycloak-user mailing list