[keycloak-user] API Authorization: on request or response?
Pedro Igor Silva
psilva at redhat.com
Mon Nov 13 06:34:35 EST 2017
It seems you are looking for fine-grained permissions. Could you take a
look at this example  and documentation  ?
One of the things shown by that example is how to protect resources based
on its owner.
On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <corentin.dupont at gmail.com>
> Hi guys,
> another small question :)
> Suppose you have an API looking like this:
> Cars have an owner:
> name: "my car"
> owner: "smith"
> How to make sure that you can only get cars that are yours (you can have
> several cars)?
> If you make a simple GET on this endpoint, should I:
> 1. just reply with a "Access denied" because the request is too large: it
> could yield cars that are not yours,
> 2. reply with "Access denied" if the response list contains some cars that
> are not yours,
> 3. filter the response car list with only yours?
> It seems that 1. is the simplest because it uses only the request to make
> 2. uses the response to make decision, while 3. requires the collaboration
> of the response handler in my API server, in order to implement the
> What is the most standard way?
> I have also some trouble understanding how to implement that with Keycloak
> protect in NodeJS.
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
More information about the keycloak-user