[keycloak-user] AuthZ with realm roles
Pedro Igor Silva
psilva at redhat.com
Mon Nov 13 06:35:46 EST 2017
You should probably take a look on Keycloak Authorization Services.
On Sun, Nov 12, 2017 at 7:29 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:
> Hi guys,
> yet another question... AuthZ is quite mysterious!
> I am trying to protect my API with realm roles.
>
> I have an API looking like this:
> http://www.example.com/api/v1/cities/rome/houses
> http://www.example.com/api/v1/cities/rome/streets
>
> Each endpoint supports GET/PUT/POST/DELETE.
> Each role must have the form:
>
> <view|manage>:<asset>[:<city>[:<resource filter>]]
>
> For example roles can be:
> - view:houses
> - view:houses:rome
> - view:houses:rome:owner==smith
> - manage:houses:rome
>
> "manage": gives you all CRUD operations, while with "view" you can only
> read resources.
>
> Do you think this design is correct? Any other suggestion?
> What is not practical is that I have to force my users to use this role
> format.
> The resource filter part is also hard to implement, has it requires to
> check the content of the responses...
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list