[keycloak-user] Best practices for permission-based resource lookup
Pedro Igor Silva
psilva at redhat.com
Tue Oct 16 17:22:30 EDT 2018
On Tue, Oct 16, 2018 at 1:15 PM Lamina, Marco <marco.lamina at sap.com> wrote:
> Hi folks,
> I have a project with several resources that are created and owned by
> users. Access to these resources can be shared with groups or other users
> via Keycloak permissions. My API needs to implement endpoints for accessing
> these resources in a permission-based manner, meaning that for example GET
> /my-resource should return all resources that the provided access token has
> permission to view (e.g. via “view” scope).
>
> Right now, this is my implementation:
>
> 1. POST /my-resource creates an object in my DB and a corresponding
> Keycloak resource via the Protection API. Resources in Keycloak are named
> using a schema (<resource-prefix>.<database-id>)
> 2. Send POST token endpoint with response_mode=permissions. This gives
> me a list of all resources the token can access, including the scopes. See
> [1]
> 3. Filter the list by name and scope using the resource prefix
> 4. Extract object IDs from resource names and load DB objects using the
> extracted IDs
>
> While this works, I still see some issues with this approach:
>
> * The resulting list of resources in 2) could potentially become quite
> big and increase response time
>
Yeah, that is one of the drawbacks when fetching permissions for every
single resource. How many resources are you expecting for each user ?
> * The “naming schema solution” for mapping Keycloak resources to
> database objects seems more like a workaround
>
That is fine, another approach is store the "reference id" in a column.
>
> Are there best practices for doing this kind of thing with Keycloak? If
> not, I’d be grateful for any tips on how to turn this into a more robust /
> efficient solution.
>
Until now, we have focused on API security as well privacy. For the latter,
permissions are evaluated on a per resource basis so you don't have any
performance penalties when doing this.
>
> Thanks,
> Marco
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list