[keycloak-user] Best practices for permission-based resource lookup

Pedro Igor Silva psilva at redhat.com
Wed Oct 17 13:38:03 EDT 2018 

On Tue, Oct 16, 2018 at 6:41 PM Lamina, Marco <marco.lamina at sap.com> wrote:

> A single user will potentially have access to a couple hundred resources
> in the future.
>
> If there was a way to somehow reduce the size of the result from the token
> endpoint in 2), that would already be a big improvement. Right now, the
> endpoint returns all resources of all types, while I only ever need the
> accessible resources of one particular type.
>

Right now we have a *response_permissions_limit* parameter to limit the
number of permissions evaluated by the server. It is quite
non-deterministic though as it is not based on any order or types of
resources. Evaluate permissions based on resource types is something we can
consider. If you don't mind, please open a RFE. Contribution is also
welcome :)


>
>
> I agree that storing the "reference id" in a column is probably a cleaner
> solution than parsing the resource name.
>
>
>
>
>
> *From: *Pedro Igor Silva <psilva at redhat.com>
> *Date: *Tuesday, October 16, 2018 at 2:23 PM
> *To: *"Lamina, Marco" <marco.lamina at sap.com>
> *Cc: *keycloak-user <keycloak-user at lists.jboss.org>
> *Subject: *Re: [keycloak-user] Best practices for permission-based
> resource lookup
>
>
>
>
>
> On Tue, Oct 16, 2018 at 1:15 PM Lamina, Marco <marco.lamina at sap.com>
> wrote:
>
> Hi folks,
> I have a project with several resources that are created and owned by
> users. Access to these resources can be shared with groups or other users
> via Keycloak permissions. My API needs to implement endpoints for accessing
> these resources in a permission-based manner, meaning that for example GET
> /my-resource should return all resources that the provided access token has
> permission to view (e.g. via “view” scope).
>
> Right now, this is my implementation:
>
>   1.  POST /my-resource creates an object in my DB and a corresponding
> Keycloak resource via the Protection API. Resources in Keycloak are named
> using a schema (<resource-prefix>.<database-id>)
>   2.  Send POST token endpoint with response_mode=permissions. This gives
> me a list of all resources the token can access, including the scopes. See
> [1]
>   3.  Filter the list by name and scope using the resource prefix
>   4.  Extract object IDs from resource names and load DB objects using the
> extracted IDs
>
> While this works, I still see some issues with this approach:
>
>   *   The resulting list of resources in 2) could potentially become quite
> big and increase response time
>
>
>
> Yeah, that is one of the drawbacks when fetching permissions for every
> single resource. How many resources are you expecting for each user ?
>
>
>
>   *   The “naming schema solution” for mapping Keycloak resources to
> database objects seems more like a workaround
>
>
>
> That is fine, another approach is store the "reference id" in a column.
>
>
>
>
> Are there best practices for doing this kind of thing with Keycloak? If
> not, I’d be grateful for any tips on how to turn this into a more robust /
> efficient solution.
>
>
>
> Until now, we have focused on API security as well privacy. For the
> latter, permissions are evaluated on a per resource basis so you don't have
> any performance penalties when doing this.
>
>
>
>
> Thanks,
> Marco
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list