[keycloak-user] Best practices for permission-based resource lookup
Lamina, Marco
marco.lamina at sap.com
Tue Oct 16 17:41:01 EDT 2018
A single user will potentially have access to a couple hundred resources in the future.
If there was a way to somehow reduce the size of the result from the token endpoint in 2), that would already be a big improvement. Right now, the endpoint returns all resources of all types, while I only ever need the accessible resources of one particular type.
I agree that storing the "reference id" in a column is probably a cleaner solution than parsing the resource name.
From: Pedro Igor Silva <psilva at redhat.com>
Date: Tuesday, October 16, 2018 at 2:23 PM
To: "Lamina, Marco" <marco.lamina at sap.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Best practices for permission-based resource lookup
On Tue, Oct 16, 2018 at 1:15 PM Lamina, Marco <marco.lamina at sap.com<mailto:marco.lamina at sap.com>> wrote:
Hi folks,
I have a project with several resources that are created and owned by users. Access to these resources can be shared with groups or other users via Keycloak permissions. My API needs to implement endpoints for accessing these resources in a permission-based manner, meaning that for example GET /my-resource should return all resources that the provided access token has permission to view (e.g. via “view” scope).
Right now, this is my implementation:
1. POST /my-resource creates an object in my DB and a corresponding Keycloak resource via the Protection API. Resources in Keycloak are named using a schema (<resource-prefix>.<database-id>)
2. Send POST token endpoint with response_mode=permissions. This gives me a list of all resources the token can access, including the scopes. See [1]
3. Filter the list by name and scope using the resource prefix
4. Extract object IDs from resource names and load DB objects using the extracted IDs
While this works, I still see some issues with this approach:
* The resulting list of resources in 2) could potentially become quite big and increase response time
Yeah, that is one of the drawbacks when fetching permissions for every single resource. How many resources are you expecting for each user ?
* The “naming schema solution” for mapping Keycloak resources to database objects seems more like a workaround
That is fine, another approach is store the "reference id" in a column.
Are there best practices for doing this kind of thing with Keycloak? If not, I’d be grateful for any tips on how to turn this into a more robust / efficient solution.
Until now, we have focused on API security as well privacy. For the latter, permissions are evaluated on a per resource basis so you don't have any performance penalties when doing this.
Thanks,
Marco
[1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list