[keycloak-user] Group-based permissions for resources

[Pedro Igor Silva]

You should be able to push arbitrary claims to your policies such as the
request URI. Your policy could check if {organization} is among the groups
the user is a member of. A single policy could serve for this purpose.

I've added more information about this in docs, the PR is about to be
merged. I'm also working with a quickstart that shows how to solve a
similar problem. Something like "access to /api/{user}/salary is only
allowed if current user is {user}".


On Fri, Jun 22, 2018 at 5:09 AM, Christian Stier <stier at fzi.de> wrote:

> Dear all,
>
> I am in the process of implementing an authorization solution for the REST
> API of an application using Keycloak/OIDC.
>
> The application manages resources based on their association with user
> groups. Its simplified path schema is similar to
> /{organization}/{resourcename}. All users of an organization should be
> allowed to access its resources. My current approach is to
> map organizations to Keycloak user groups.
>
> 1) Is it possible to define an authorization policy in Keycloak that
> handles group-based authorization for a single resource defined
> for the path /{organization}/{resourcename}? My idea here was to check if
> the organization path of an URL matches a scope of the
> calling client that is mapped from its group memberships. I looked into JS
> policy examples and the Evaluation API but I did not see
> a way to check against path parameters.
>
> 2) Or: Do I have to (programmatically) create separate resource/policy
> pairs for each organization to support this type of
> group-based authorization?
>
> Thanks for any pointers and input.
>
> Best regards
> Christian
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>