[keycloak-user] AuthZ with realm roles

Corentin Dupont corentin.dupont at gmail.com
Sun Nov 12 16:29:37 EST 2017


Hi guys,
yet another question... AuthZ is quite mysterious!
I am trying to protect my API with realm roles.

I have an API looking like this:
http://www.example.com/api/v1/cities/rome/houses
http://www.example.com/api/v1/cities/rome/streets

Each endpoint supports GET/PUT/POST/DELETE.
Each role must have the form:

<view|manage>:<asset>[:<city>[:<resource filter>]]

For example roles can be:
- view:houses
- view:houses:rome
- view:houses:rome:owner==smith
- manage:houses:rome

"manage": gives you all CRUD operations, while with "view" you can only
read resources.

Do you think this design is correct? Any other suggestion?
What is not practical is that I have to force my users to use this role
format.
The resource filter part is also hard to implement, has it requires to
check the content of the responses...


More information about the keycloak-user mailing list