Re: [keycloak-user] API Authorization: on request or response?
Hi,
It seems you are looking for fine-grained permissions. Could you take a
look at this example [1] and documentation [2] ?
One of the things shown by that example is how to protect resources based
on its owner.
[1] https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz
[2] http://www.keycloak.org/docs/latest/authorization_services/index.html
On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
Hi guys,
another small question :)
Suppose you have an API looking like this:
http://www.example.com/api/v1/cars
Cars have an owner:
{
name: "my car"
owner: "smith"
}
How to make sure that you can only get cars that are yours (you can have
several cars)?
If you make a simple GET on this endpoint, should I:
1. just reply with a "Access denied" because the request is too large: it
could yield cars that are not yours,
2. reply with "Access denied" if the response list contains some cars that
are not yours,
3. filter the response car list with only yours?
It seems that 1. is the simplest because it uses only the request to make
decisions.
2. uses the response to make decision, while 3. requires the collaboration
of the response handler in my API server, in order to implement the
filtering.
What is the most standard way?
I have also some trouble understanding how to implement that with Keycloak
protect in NodeJS.
Cheers!!
Corentin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user