[keycloak-user] Keycloak to authorise my REST API from admin console

[Matthew Torres]

Good day!

I'm not sure if I am understanding the usage correctly for Keycloak's
authorisation functionality or not.

Suppose I have an Express REST Api with thousands of routes and the users
are authenticated using Keycloak. After grouping the routes and mapping it
to the correct roles I created a *Resource* in Keycloak admin dashboard.
After creating the resources and defining a URI related to my routes in the
field will it automatically protect my routes when a user accesses it? Or
do I need to explicitly assign the role in the middleware of my express
app. Now I know that the latter will work but I was wondering since I
specified the URI in the resource already will it not protect my routes?

Example:
If I have a resource called *ManageResource* with URIs:* /profile,
/create,* etc.
mapped with a Role based permission of *HR*. When a user named George
having a role of *janitor* accesses the route using a token. Without
explicitly defining the roles in the express app will it deny George of
accessing the resource?

I know the answer is no but is there a way for me to protect my routes
using only the keycloak admin dashboard?

*Sincerely,*

*Matthew Aldrin S. Torres*