[keycloak-user] Authorization on resources that belong to different "groups"

HI there, We've integrated Keycloak auth and authz to an existing REST service which serves endpoints like this: GET /api/report?country={country} GET /api/status?country={country} GET /api/history?country={country} As far as I understand, the only way to protect these resources is to create "global" resources (/api/report, /api/status etc.), but then we can't validate if the current user is authorized to make requests for a given "country": The other alternative would be to include the country name in the URI, but this would lead to duplication of resource definitions: /api/report/country1 /api/report/country2 /api/status/country1 /api/status/country2 ... We considered including a list of the countries the user has access to as an attribute in the access_token but that would require manually maintaining said attribute Is there another way that would accommodate this kind of authentication requirements? Thanks in advance! -- *Gabriel Trisca, Software Developer* Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA