Re: [keycloak-user] Securing RESTful API Best Practices

Any hint or example project to look at would really help to put me in the right direction. Should I post this question with a better and more specific title with more elaborate body to present the question better? On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi(a)gmail.com&gt; wrote: > This is exactly where I want to use Keycloak to set this business > rule/mapping. Basically I need to associate each user with a subset of B > (books) to which the user has access to. This association is not based on > roles or groups. It is based on individual users. > That's why I was thinking that the only way I can think of doing this to > add every individual book as a resource in Keycloak and then I have to > create a permission for each of them to grant access to any individual user. > It would help if Keycloak had a concept like a resource group I guess. > Then I could put all those resources in a resource group and grant access > to that resource group for an individual user. > Then in order to see which resources each user has access to, I need to > query Keycloak somehow (I need to figure out how exactly) and get the > resources that user has access to, and return only those resources for that > user. > > That's what I can think of right now. I am just wondering if there is a > better way to do this sort of resource oriented access control where each > user has access to specific set of resources only. > > > > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva(a)redhat.com&gt; > wrote: > >> Sorry, but is still not clear to me how a "user has access to a subset of >> B" is this access based on roles, groups or any other information that you >> gather from the context ? I'm wondering if this is not a business rule >> instead .... >> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi(a)gmail.com&gt; >> wrote: >> >>> Hi Pedro, >>> >>> The user is not the book owner. You can think about it this way that if >>> B is the set of all books then each user has access to a subset of B such >>> that these subsets are not mutually exclusive and do overlap. >>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva(a)redhat.com&gt; >>> wrote: >>> >>>> Hi Farzad, >>>> >>>> How do you check if a user has access to a book ? Is the user the book >>>> owner or you have more conditions that should be taken into account to >>>> grant access to books ? >>>> >>>> [1] >>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#ex... >>>> >>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi < farzad.panahi(a)gmail.com&gt; >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I am very new to Keycloak. I have a RESTful API implemented with >>>>> json:api >>>>> <https://jsonapi.org/> spec which I want to secure using Keycloak. >>>>> >>>>> I just want to ask the Keycloak community for best practices when it >>>>> comes >>>>> to securing RESTful APIs. >>>>> >>>>> My endpoints will be something like: >>>>> GET /api/books --> return all books the user has access for >>>>> GET /api/books/123 --> return book with id = 123 >>>>> >>>>> My challenge now is to figure out how to define resources in Keycloak. >>>>> Should I add all my books as resources to Keycloak? And then define the >>>>> permission between each user and resource? >>>>> >>>>> What would be the best practice to implement "GET /api/books" to return >>>>> only the books the logged in user has access to? Should I query the >>>>> Keycloak API to get all the resources the logged in user has access >>>>> to, in >>>>> the backend? >>>>> >>>>> Thanks >>>>> >>>>> Farzad >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user(a)lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user