[keycloak-user] Best practices for permission-based resource lookup

Pedro Igor Silva psilva at redhat.com
Tue Oct 16 17:22:30 EDT 2018 

On Tue, Oct 16, 2018 at 1:15 PM Lamina, Marco <marco.lamina at sap.com> wrote:

> Hi folks,
> I have a project with several resources that are created and owned by
> users. Access to these resources can be shared with groups or other users
> via Keycloak permissions. My API needs to implement endpoints for accessing
> these resources in a permission-based manner, meaning that for example GET
> /my-resource should return all resources that the provided access token has
> permission to view (e.g. via “view” scope).
>
> Right now, this is my implementation:
>
>   1.  POST /my-resource creates an object in my DB and a corresponding
> Keycloak resource via the Protection API. Resources in Keycloak are named
> using a schema (<resource-prefix>.<database-id>)
>   2.  Send POST token endpoint with response_mode=permissions. This gives
> me a list of all resources the token can access, including the scopes. See
> [1]
>   3.  Filter the list by name and scope using the resource prefix
>   4.  Extract object IDs from resource names and load DB objects using the
> extracted IDs
>
> While this works, I still see some issues with this approach:
>
>   *   The resulting list of resources in 2) could potentially become quite
> big and increase response time
>

Yeah, that is one of the drawbacks when fetching permissions for every
single resource. How many resources are you expecting for each user ?


>   *   The “naming schema solution” for mapping Keycloak resources to
> database objects seems more like a workaround
>

That is fine, another approach is store the "reference id" in a column.


>
> Are there best practices for doing this kind of thing with Keycloak? If
> not, I’d be grateful for any tips on how to turn this into a more robust /
> efficient solution.
>

Until now, we have focused on API security as well privacy. For the latter,
permissions are evaluated on a per resource basis so you don't have any
performance penalties when doing this.


>
> Thanks,
> Marco
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list