Re: [keycloak-user] Best practices for permission-based resource lookup

A single user will potentially have access to a couple hundred resources in the future. If there was a way to somehow reduce the size of the result from the token endpoint in 2), that would already be a big improvement. Right now, the endpoint returns all resources of all types, while I only ever need the accessible resources of one particular type. I agree that storing the "reference id" in a column is probably a cleaner solution than parsing the resource name. From: Pedro Igor Silva <psilva(a)redhat.com&gt; Date: Tuesday, October 16, 2018 at 2:23 PM To: "Lamina, Marco" <marco.lamina(a)sap.com&gt; Cc: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Best practices for permission-based resource lookup On Tue, Oct 16, 2018 at 1:15 PM Lamina, Marco <marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote: Hi folks, I have a project with several resources that are created and owned by users. Access to these resources can be shared with groups or other users via Keycloak permissions. My API needs to implement endpoints for accessing these resources in a permission-based manner, meaning that for example GET /my-resource should return all resources that the provided access token has permission to view (e.g. via “view” scope). Right now, this is my implementation: 1. POST /my-resource creates an object in my DB and a corresponding Keycloak resource via the Protection API. Resources in Keycloak are named using a schema (<resource-prefix>.<database-id>) 2. Send POST token endpoint with response_mode=permissions. This gives me a list of all resources the token can access, including the scopes. See [1] 3. Filter the list by name and scope using the resource prefix 4. Extract object IDs from resource names and load DB objects using the extracted IDs While this works, I still see some issues with this approach: * The resulting list of resources in 2) could potentially become quite big and increase response time Yeah, that is one of the drawbacks when fetching permissions for every single resource. How many resources are you expecting for each user ? * The “naming schema solution” for mapping Keycloak resources to database objects seems more like a workaround That is fine, another approach is store the "reference id" in a column. Are there best practices for doing this kind of thing with Keycloak? If not, I’d be grateful for any tips on how to turn this into a more robust / efficient solution. Until now, we have focused on API security as well privacy. For the latter, permissions are evaluated on a per resource basis so you don't have any performance penalties when doing this. Thanks, Marco [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user