Maybe define a resource for each country then a scope each for "report",
"status" and "history"? You'd have to handle authorization
yourself in
your app by looking at the RPT though.
On 3/31/17 10:17 AM, Pedro Igor Silva wrote:
What about using patterns in your paths. Something like:
/api/report/{country}
On Thu, Mar 30, 2017 at 6:59 PM, Gabriel Trisca <gtrisca(a)cignifi.com> wrote:
> HI there,
>
> We've integrated Keycloak auth and authz to an existing REST service which
> serves endpoints like this:
>
> GET /api/report?country={country}
> GET /api/status?country={country}
> GET /api/history?country={country}
>
> As far as I understand, the only way to protect these resources is to
> create "global" resources (/api/report, /api/status etc.), but then we
> can't validate if the current user is authorized to make requests for a
> given "country":
>
> The other alternative would be to include the country name in the URI, but
> this would lead to duplication of resource definitions:
>
> /api/report/country1
> /api/report/country2
> /api/status/country1
> /api/status/country2
> ...
>
> We considered including a list of the countries the user has access to as
> an attribute in the access_token but that would require manually
> maintaining said attribute
>
> Is there another way that would accommodate this kind of authentication
> requirements?
>
> Thanks in advance!
>
> --
> *Gabriel Trisca, Software Developer*
> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user