[keycloak-user] API Authorization: on request or response?

Pedro Igor Silva psilva at redhat.com
Mon Nov 13 06:34:35 EST 2017


It seems you are looking for fine-grained permissions. Could you take a
look at this example [1] and documentation [2] ?

One of the things shown by that example is how to protect resources based
on its owner.

[1] https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz
[2] http://www.keycloak.org/docs/latest/authorization_services/index.html

On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <corentin.dupont at gmail.com>

> Hi guys,
> another small question :)
> Suppose you have an API looking like this:
> http://www.example.com/api/v1/cars
> Cars have an owner:
> {
>   name: "my car"
>   owner: "smith"
> }
> How to make sure that you can only get cars that are yours (you can have
> several cars)?
> If you make a simple GET on this endpoint, should I:
> 1. just reply with a "Access denied" because the request is too large: it
> could yield cars that are not yours,
> 2. reply with "Access denied" if the response list contains some cars that
> are not yours,
> 3. filter the response car list with only yours?
> It seems that 1. is the simplest because it uses only the request to make
> decisions.
> 2. uses the response to make decision, while 3. requires the collaboration
> of the response handler in my API server, in order to implement the
> filtering.
> What is the most standard way?
> I have also some trouble understanding how to implement that with Keycloak
> protect in NodeJS.
> Cheers!!
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list