So I've spent the last couple of days playing with the source. :-)
The current authorization mechanism is based on Realm/RealmApp i.e. whenever an API resource is called, check if the User has the required Right (manage, any, view) in the resource's Realm/RealmApp.
Consider, for example, the URI /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}. What I was trying to do is to create a permission for {app-name} so that this API call wouldn't require any Realm/RealmApp right.
The problem I see is that this API call trigger many methods (i.e. AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin, RealmAdminResource#getApplicationsById, and so on...), and at those methods there is not enough information to figure out whether this is:
1- An app-specific call and thus should be authorized even without realm authorization, or;
2- Not app-specific call and this should be properly authorized by Realm/RealmApp.
Even in the case of (1), the information on which app should I check for authorization is not available.
So it seems to me that this resource-loading mechanisms pressuposes an authorization mechanism that checks only against the realm for permission, and changing this seems daunting to me.
Do you guys have any idea on a more local change I could make to achieve the intended behavior?