[keycloak-user] Viewing permissions

Fri Mar 9 09:51:35 EST 2018

At the moment, no, the client does not know the resource name. To get the
cars it just calls GET www.myAPI.com/cars.
My client does not talk directly to Keycloak: there is an intermediary
between the two called the "API server".
So it's like that:

Client --> API server -> Keycloak (and other backend components).

The API server creates the authorization requests to Keycloak.
The client just knows the endpoint name and the data format behind it (the
format of a car, for instance).

So I'm wondering if I should create a specific endpoint for the access
checking in that API, with the corresponding data format.
This new data format would contain something similar to the resource/scopes
as you suggest.
The other solution is to enhance each endpoint with a "dry run" or "check
permission" option.

On Fri, Mar 9, 2018 at 2:47 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> I see ... Does your client know the name of the resource representing the
> "/cars/myCar" URI ?
>
> If so, I think you don't even need to design an API for that. But just
> send from your client an entitlement request passing the resource/scopes
> you want to check for access.
>
>
> On Fri, Mar 9, 2018 at 9:11 AM, Corentin Dupont <corentin.dupont at gmail.com
> > wrote:
>
>>
>>
>> On Fri, Mar 9, 2018 at 12:53 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>>
>>>
>>> On Fri, Mar 9, 2018 at 6:47 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Based on my current API, I can see two strategies for displaying the
>>>> "delete" (or request access) button.
>>>>
>>>> I have an API like this:
>>>>
>>>> GET /cars
>>>> POST /cars
>>>> GET /cars/<carID>
>>>> DELETE /cars/<carID>
>>>>
>>>> When I receive a request, I call keycloak to get authorization on the
>>>> resource/scope.
>>>> I also create/delete resources in Keycloak for the POST/DELETE requests.
>>>>
>>>> Regarding the display of the "delete" button on the UI, what should I
>>>> do?
>>>> I see two options:
>>>> 1. Add a "dry_run" query parameter on the DELETE endpoint:
>>>>
>>>> DELETE /cars/myCar?dry_run=true
>>>>
>>>> This would query only keycloak, and return the status code (200 or
>>>> 403). Based on that I can display my button or not.
>>>>
>>>
>>> You can send a entitlement request to Keycloak asking permissions for
>>> the resource. 200/403 will be returned accordingly.
>>>
>>
>> Exactly. But my question was more on how to design an API using this
>> feature :)
>>
>>
>>
>>>
>>>
>>>>
>>>> 2. Create a specific endpoint for viewing authorizations:
>>>>
>>>> GET /permissions
>>>> {
>>>>   cars=[{myCar: ["view", "delete"]}, {anotherCar: ["view"]}]
>>>> }
>>>>
>>>> What do you think?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Mar 7, 2018 at 12:31 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> I think this is the best way to go ....
>>>>>
>>>>> In fact, this is exactly what we are pushing now with UMA 2.0 and
>>>>> support for asynchronous authorization. Suppose you have a "Request Access"
>>>>> button in case the user is not allowed to perform operation on a resource
>>>>> belonging to a different user. This button could be displayed based on a
>>>>> "test" authorization request to which you can also specify whether or not
>>>>> you want to start an authorization flow to get approval from resource owner.
>>>>>
>>>>> Regards.
>>>>> Pedro Igor
>>>>>
>>>>> On Tue, Mar 6, 2018 at 4:27 PM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Hi all,
>>>>>> I have a question around the representation and result of permissions.
>>>>>> Say I have an application that manages socks inventory. The UI is
>>>>>> displaying a button to delete socks. However, some user doesn't have
>>>>>> the
>>>>>> right to delete socks!
>>>>>> So, I perform a request to Keycloak to get the permission.
>>>>>> It works well: if the user doesn't have permission, the message
>>>>>> "authorization denied" is displayed on the screen.
>>>>>>
>>>>>> However, it would be nicer to remove the "delete" button entirely.
>>>>>> My policies are quite complex and multi-dimensional: You can delete
>>>>>> socks
>>>>>> if you are admin, but also if it belongs to you, you belong to some
>>>>>> groups
>>>>>> etc.
>>>>>> So anticipating the reply to an authorization request can be very
>>>>>> hard.
>>>>>>
>>>>>> What do you suggest? Should we perform a "test" authorization request
>>>>>> before display the "delete" button?
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>