Re: [keycloak-user] Authorization on resources that belong to different "groups"

What about using patterns in your paths. Something like: /api/report/{country} On Thu, Mar 30, 2017 at 6:59 PM, Gabriel Trisca <gtrisca(a)cignifi.com&gt; wrote: > HI there, > > We've integrated Keycloak auth and authz to an existing REST service which > serves endpoints like this: > > GET /api/report?country={country} > GET /api/status?country={country} > GET /api/history?country={country} > > As far as I understand, the only way to protect these resources is to > create "global" resources (/api/report, /api/status etc.), but then we > can't validate if the current user is authorized to make requests for a > given "country": > > The other alternative would be to include the country name in the URI, but > this would lead to duplication of resource definitions: > > /api/report/country1 > /api/report/country2 > /api/status/country1 > /api/status/country2 > ... > > We considered including a list of the countries the user has access to as > an attribute in the access_token but that would require manually > maintaining said attribute > > Is there another way that would accommodate this kind of authentication > requirements? > > Thanks in advance! > > -- > *Gabriel Trisca, Software Developer* > Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >