10:19 a.m.
I need to check this out, but I think you can configure your enforcer as
follows:
{
"name" : "Country Resource",
"path" : "/api/{country}/report",
"methods" : [
{
"method": "GET",
"scopes" : ["report"]
}
]
},
{
"name" : "Country Resource",
"path" : "/api/{country}/status",
"methods" : [
{
"method": "GET",
"scopes" : ["status"]
}
]
}
You are basically defining in the enforcer config specific paths in the
application and the scopes for each HTTP verb. In the case above, all paths
are protected by permissions applied to "Country Resource" but the scope
depends on the sub-path.
On Sat, Apr 1, 2017 at 10:56 AM, Bill Burke <bburke(a)redhat.com> wrote:
Maybe define a resource for each country then a scope each for
"report",
"status" and "history"? You'd have to handle authorization
yourself in
your app by looking at the RPT though.
On 3/31/17 10:17 AM, Pedro Igor Silva wrote:
> What about using patterns in your paths. Something like:
>
> /api/report/{country}
>
>
> On Thu, Mar 30, 2017 at 6:59 PM, Gabriel Trisca <gtrisca(a)cignifi.com>
wrote:
>
>> HI there,
>>
>> We've integrated Keycloak auth and authz to an existing REST service
which
>> serves endpoints like this:
>>
>> GET /api/report?country={country}
>> GET /api/status?country={country}
>> GET /api/history?country={country}
>>
>> As far as I understand, the only way to protect these resources is to
>> create "global" resources (/api/report, /api/status etc.), but then
we
>> can't validate if the current user is authorized to make requests for a
>> given "country":
>>
>> The other alternative would be to include the country name in the URI,
but
>> this would lead to duplication of resource definitions:
>>
>> /api/report/country1
>> /api/report/country2
>> /api/status/country1
>> /api/status/country2
>> ...
>>
>> We considered including a list of the countries the user has access to
as
>> an attribute in the access_token but that would require manually
>> maintaining said attribute
>>
>> Is there another way that would accommodate this kind of authentication
>> requirements?
>>
>> Thanks in advance!
>>
>> --
>> *Gabriel Trisca, Software Developer*
>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user