[keycloak-user] Keycloak RBAC permission check in node API
Shubham Akodiya
sakodiya at grepruby.com
Tue Oct 23 07:09:19 EDT 2018
Hi Team,
I was integrating the keycloak with nodejs and I want to restrict the
nodeJS API. I've added the *Authorization settings (scope, resources and
policies) *while creating the client. But struggling, how to protect the
API endpoints basis on the resource and scopes in nodejs app. I've declared
following resources and scopes in the client and also, added some policies
basis on the role.
'res:customer', 'scopes:create'],
['/customers(*)', 'get', 'res:customer', 'scopes:view'],
['/campaigns', 'post', 'res:campaign', 'scopes:create'],
['/campaigns(*)', 'get', 'res:campaign', 'scopes:view
Although, I've checked the link
<https://github.com/v-ladynev/keycloak-nodejs-example> and while I insight
into the code I found that there is one API http://localhost:8080/auth/
realms/{realmName}/authz/entitlement/{clientName} which accepts the
authorization token in header and permissions in body like
'[{"resource_set_name":
"res:campaign", "scopes": [ 'scopes:view' ]}]', so this way we could check
that whether user have sufficient permission or not. *But while going
through the doc, I found that the entitlement API was removed in the
keycloak new version*.
*So how can we perform the similar permission checks in new keycloak
version. Is there any API supported just like entitlement ? or Is there any
alternative way available to perform the protection check ?*
Thanks,
Shubham Akodiya
More information about the keycloak-user
mailing list